I am working on centos. I have installed openfire for an XMPP server. I am using a virtual machine on Openstack (public server with a floating IP). Due to restrictions and an ACL, port 9090 or 9091 is not available for ingress traffic. The only ports that are configured are 80 and 443.
我正在研究中心。我已经为XMPP服务器安装了openfire。我在Openstack上使用虚拟机(具有浮动IP的公共服务器)。由于限制和ACL,端口9090或9091不可用于入口流量。配置的唯一端口是80和443。
I have tried to configure the iptables by opening port 80, but, this does not seem to make a difference. Even without port 80 being added to the iptable, it still comes up as being open
when I check it using: https://www.yougetsignal.com/tools/open-ports/
我试图通过打开端口80来配置iptables,但是,这似乎没有什么区别。即使没有将端口80添加到iptable,当我使用以下内容检查它时,它仍然会打开:https://www.yougetsignal.com/tools/open-ports/
Therefore, I am trying set openfire admin to listen on port 80 from the cofiguration file, since, of course, I cannot connect to the admin GUI to change it from there. The machine has an Apache web server, which by default listens on port 80. I turned this off using:
因此,我正在尝试设置openfire管理员从配置文件中侦听端口80,因为当然,我无法连接到管理GUI以从那里更改它。该机器有一个Apache Web服务器,默认情况下侦听端口80.我使用以下命令将其关闭:
sudo service httpd stop
When I look at netstat -tulpn | grep 80
, I can see that nothing is listening on port 80, so I can assume nothing else is using port 80.
当我看netstat -tulpn | grep 80,我可以看到没有任何东西在端口80上侦听,所以我可以假设没有其他东西在使用端口80。
I changed the openfire.xml
in opt/openfire/conf/
我在opt / openfire / conf /中更改了openfire.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file stores bootstrap properties needed by Openfire.
Property names must be in the format: "prop.name.is.blah=value"
That will be stored as:
<prop>
<name>
<is>
<blah>value</blah>
</is>
</name>
</prop>
Most properties are stored in the Openfire database. A
property viewer and editor is included in the admin console.
-->
<!-- root element, all properties must be under this element -->
<jive>
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>80</port>
<securePort>-1</securePort>
</adminConsole>
<locale>en</locale>
<!-- Network settings. By default, Openfire will bind to all network interfaces.
Alternatively, you can specify a specific network interfaces that the server
will listen on. For example, 127.0.0.1. This setting is generally only useful
on multi-homed servers. -->
<!--
<network>
<interface></interface>
</network>
-->
</jive>
When I do netstat -tulpn | grep 80
again, I don't see anything open on 80. I have read something about if openfire isn't started as root, then it cannot listen on anything below port range 1024. Therefore, I ensured I started openfire service with: sudo service openfire start
.
当我做netstat -tulpn | grep 80再次,我没有看到任何打开80.我已经读过一些关于如果openfire没有以root身份启动,那么它无法监听端口范围1024以下的任何内容。因此,我确保我启动了openfire服务:sudo服务openfire开始。
Are there any configurations for openfire that I am missing?
我错过了openfire的配置吗?
1 个解决方案
#1
0
You can preroute your traffic so traffic coming in on port 80 to port 9090. I'm assuming that port 9090 is open.
您可以预先路由您的流量,以便将流量从端口80传入端口9090.我假设端口9090已打开。
You can open port 9090 like so:
您可以这样打开端口9090:
sudo iptables -A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
Save your iptables rules:
保存你的iptables规则:
sudo iptables-save
Then you can add the PREROUTING rule like so:
然后你可以像这样添加PREROUTING规则:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 9090
Check your rules to see if was assigned correctly. Type:
检查您的规则以查看是否已正确分配。类型:
iptables -t nat -L -n
Output should look something like this:
输出应该如下所示:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 9090
Then restart the Openfire service:
然后重启Openfire服务:
sudo service openfire stop
sudo service openfire start
You can even change the port that Apache listens on just to be sure that nothing is using port 80.
您甚至可以更改Apache侦听的端口,以确保没有使用端口80。
You can change this if you go to /etc/httpd/conf/
and then sudo vi httpd.conf
. Once editing the file, you can change the port from 80 to another unused port e.g. 8080. Remember, the other port must be unused if you still want Apache to work.
如果你转到/ etc / httpd / conf /然后转到sudo vi httpd.conf,你可以改变它。编辑文件后,您可以将端口从80更改为另一个未使用的端口,例如8080.请记住,如果您仍希望Apache工作,则必须使用其他端口。
For further reading on PREROUTING, read the following post: https://askubuntu.com/questions/579231/whats-the-difference-between-prerouting-and-forward-in-iptables
有关PREROUTING的进一步阅读,请阅读以下帖子:https://askubuntu.com/questions/579231/whats-the-difference-between-prerouting-and-forward-in-iptables
#1
0
You can preroute your traffic so traffic coming in on port 80 to port 9090. I'm assuming that port 9090 is open.
您可以预先路由您的流量,以便将流量从端口80传入端口9090.我假设端口9090已打开。
You can open port 9090 like so:
您可以这样打开端口9090:
sudo iptables -A INPUT -p tcp -m tcp --dport 9090 -j ACCEPT
Save your iptables rules:
保存你的iptables规则:
sudo iptables-save
Then you can add the PREROUTING rule like so:
然后你可以像这样添加PREROUTING规则:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 9090
Check your rules to see if was assigned correctly. Type:
检查您的规则以查看是否已正确分配。类型:
iptables -t nat -L -n
Output should look something like this:
输出应该如下所示:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 9090
Then restart the Openfire service:
然后重启Openfire服务:
sudo service openfire stop
sudo service openfire start
You can even change the port that Apache listens on just to be sure that nothing is using port 80.
您甚至可以更改Apache侦听的端口,以确保没有使用端口80。
You can change this if you go to /etc/httpd/conf/
and then sudo vi httpd.conf
. Once editing the file, you can change the port from 80 to another unused port e.g. 8080. Remember, the other port must be unused if you still want Apache to work.
如果你转到/ etc / httpd / conf /然后转到sudo vi httpd.conf,你可以改变它。编辑文件后,您可以将端口从80更改为另一个未使用的端口,例如8080.请记住,如果您仍希望Apache工作,则必须使用其他端口。
For further reading on PREROUTING, read the following post: https://askubuntu.com/questions/579231/whats-the-difference-between-prerouting-and-forward-in-iptables
有关PREROUTING的进一步阅读,请阅读以下帖子:https://askubuntu.com/questions/579231/whats-the-difference-between-prerouting-and-forward-in-iptables