谷歌云平台:无法启动java https服务器 [英] google cloud platform: cannot start java https server

问题描述

以下简单程序:

import com.sun.net.httpserver.HttpsServer;
import java.net.InetSocketAddress;

class SimpleServer {
  public static void main(String[] pArgs) {
    try {
      HttpsServer s = HttpsServer.create(new InetSocketAddress(443), 0);
      System.out.println(" " + s);
    } catch (Exception pE) {
      throw new RuntimeException("Could not create HTTPS server", pE);  
    }
  }
}

在由Google云平台(Google Compute Engine-IaaS)托管的Debian VM内无法使用:

will not work inside a Debian VM hosted by google cloud platform (Google Compute Engine - IaaS):

Exception in thread "main" java.lang.RuntimeException: Could not create HTTPS server
    at SimpleServer.main(SimpleServer.java:10)
Caused by: java.net.SocketException: Permission denied
    at sun.nio.ch.Net.bind0(Native Method)
    at sun.nio.ch.Net.bind(Net.java:433)
    at sun.nio.ch.Net.bind(Net.java:425)
    at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:223)
    at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
    at sun.net.httpserver.ServerImpl.<init>(ServerImpl.java:100)
    at sun.net.httpserver.HttpsServerImpl.<init>(HttpsServerImpl.java:50)
    at sun.net.httpserver.DefaultHttpServerProvider.createHttpsServer(DefaultHttpServerProvider.java:39)
    at com.sun.net.httpserver.HttpsServer.create(HttpsServer.java:90)
    at SimpleServer.main(SimpleServer.java:7)

此示例在Windows桌面上运行时以及在将端口从443更改为其他端口时均适用.那么，我们如何强制Google Cloud在443上允许服务器?我曾尝试打开防火墙，但这没有用(不是说它真的应该有:-(因为这是一个单独的问题).

This example will work when running on the Windows desktop, and also if we change the port from 443 to something else. So how do we force google cloud to allow a server on 443? I've tried opening up the firewall, but that did not work (not that it really should have :-( since it's a separate issue).

java版本是(尽管我怀疑这很重要):

The java version is (though I doubt this matters):

openjdk version "1.8.0_141"
OpenJDK Runtime Environment (build 1.8.0_141-8u141-b15-1~deb9u1-b15)
OpenJDK 64-Bit Server VM (build 25.141-b15, mixed mode)

推荐答案

这不是GCP问题，而是linux/Unix安全功能.

This is not a GCP issue but a linux/Unix security feature.

在Linux/Unix上，低于1024的端口是特权端口"，需要更高的特权才能创建.

Ports below 1024 on linux/Unix are "privileged ports" which require elevated privileges to create.

在GCP中，您有几种选择.

As you are in GCP, you have several options.

使用1024以上的高端口作为非特权用户，并且:

Use a high port above 1024 as a non-privlaged user and:

• 在您的网址 https://foo:8443
中连接到该高端口
• 使用GCP网络或HTTP/HTTPS负载均衡器将端口443转发到较高的端口
• 利用IP表将数据包从443转发到VM实例内部的高端口
• 使用suid，sudo或其他方法运行服务
• 将_CAP_NET_BIND_SERVICE_功能(7)授予该进程.

• Connect to that high port in your url https://foo:8443
• Use the GCP network or HTTP/HTTPS load balancer to forward port 443 to a high port
• Leverage IP tables to forward packets from 443 to a high port inside the VM instance
• Run the service using suid, sudo or other method
• Grant the _CAP_NET_BIND_SERVICE_ capabilities(7) to the process.

后两个选项具有复杂的安全隐患，应尽可能避免使用.

Those last two options have complex security implications and should be avoided if at all possible.

下面的链接将涵盖上述一些选项，但是第一个选项将是最简单的，同时比后两个选项要安全得多.

The following link will cover some of the above options, but the the first option will be the simplest while being much safer than the last two options.

https://debian-administration.org/article/386/Running_network_services_as_a_non-root_user .

这篇关于谷歌云平台:无法启动java https服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！