Windows 10 blocks default Wildfly ports 8080 and 8443
631 views
Skip to first unread message
Robert L. Kirby
May 25, 2023, 8:00:46 AM5/25/23
to WildFly
By default, Windows 10 blocks default Wildfly ports 8080 and 8443. Wildfly uses ports 8080 and 8443 to avoid running as a superuser, which can listen on http and https ports 80 and 443, which is not allowed for non-superusers (on MacOS X). Firewall configuration on routers may use port address translation (PAT), sometimes called network address translation (NAT), to map wide area network (WAN) client access of ports 80 and 443 to local area network (LAN) ports 8080 and 8443, the Wildfly defaults.
Unfortunately, a Wildfly application with transport-guarantee set to CONFIDENTIAL in WEB-INF/web.xml will insert port 8443 in https URLs. On the LAN, where port 8080 is part of http URLs, converting to 8443 is appropriate but on the WAN, Windows clients will block outgoing port 8443 by default.
Is there some standalone.xml configuration that could only do rewriting of the https port to 8443 when the original URL explicitly used port 8080 or 8443?
Bob Kirby
Paul Ferraro
May 26, 2023, 2:30:01 PM5/26/23
to WildFly
You can change these socket-bindings to use whichever ports you'd prefer.
The default values for the HTTP and HTTPS socket-bindings will use the the jboss.http.port and jboss.https.port system properties, respectively, before defaulting to 8080 and 8443, respectively.
Robert L. Kirby
May 27, 2023, 6:46:36 AM5/27/23
to Paul Ferraro, WildFly
I presume that recent Windows versions will block all but official well-known ports to improve client security. Using the well-known ports requires that Wildfly run with superuser privileges, which is dangerous for the server.
Bob Kirby
--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/kuS13YwxZEk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/2c8a37b2-2907-43e7-bbc1-6d5092dfaf47n%40googlegroups.com.
Paul Ferraro
May 27, 2023, 2:35:29 PM5/27/23
to WildFly
Rereading your original post, I don't think I answered your question.
Is there some standalone.xml configuration that could only do rewriting of the https port to 8443 when the original URL explicitly used port 8080 or 8443?
The configuration that determines the port to which to redirect requests with a CONFIDENTIAL transport guarantee is here:
Assuming that you want such requests to use a client-side redirect to port 443, you need a separate socket-binding.
e.g.
<subsystem xmlns="urn:jboss:domain:undertow:14.0" default-server="default-server" ...>
<!-- ... -->
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="external-https" ... />
<!-- ... -->
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="external-https" ... />
<https-listener name="https" socket-binding="https" ssl-context="..." ... />
<!-- ... --> </server>
<!-- ... --></subsystem>
<socket-binding-group name="standard-sockets" ...>
<!-- ... -->
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="external-https" port="443"/>
</socket-binding-group>
Does that answer your original question?
Robert L. Kirby
May 28, 2023, 4:25:01 PM5/28/23
to Paul Ferraro, WildFly
Thank you. I tested your answer and it's got the website 90% of where it should be. LAN clients will forward to port 443 rather than port 8443 but the workaround is to depend on loopback in the firewall router rather than accessing the website LAN address directly.
Bob Kirby
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/320c37dc-ed4f-4e0c-bd01-0a8a7f9681c3n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages