February 5, 2019
This article presents some firewalld commands I use to allow WildFly to work with port 443, the default HTTPS port.
Out of the box, WildFly listens to HTTP/S traffic on ports 8080, 8443, 9990, and 9993. 8080 and 8443 are ports used to serve application content. 8080 handles HTTP and 8443 handles HTTPS. 9990 and 9993 are management ports. 9990 uses HTTP while 9993 uses HTTPS.
When working on Fedora, specifically my Rackspace-hosted instance, these ports were not open to public traffic. What was blocking them was a process called firewalld. firewalld is a firewall that blocks public traffic to the server. By default, the ports that WildFly runs on are not exposed to the public.
To allow the Internet to access your WildFly, use the --add-port command. The commands are issued through the CLI firewall-cmd. The following commands add each of the three default ports to the Fedora firewall. You may want to disable HTTP traffic and skip the 8080 and 9990 lines. In my firewall configuration, I have a zone called "public" yours may be different (say "external").
# sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp # sudo firewall-cmd --zone=public --permanent --add-port=8443/tcp # sudo firewall-cmd --zone=public --permanent --add-port=9990/tcp # sudo firewall-cmd --zone=public --permanent --add-port=9993/tcp
The --permanent flag saves the settings.
To run WildFly on the common 80 or 443 ports, you face a restriction. Ports below 1024 are protected and processes must be root in order to bind to those ports. You never want to run an app server like WildFly as root since any compromise would lead to complete remote access of the server. Rather, you want to run WildFly as its own user. If it's hacked, that's still back, but the hack will be limited.
There's no functional benefit to running on 443 versus 8443. However, it makes the URLs prettier and it's one fewer things for users and external developers to remember. https://bekwam.us/ws/todos is more memorable than https://bekwam.us:8443/ws/todos though both will work.
You have two options to run on 80 or 443. The first option isn't covered here. This is to use a program like Commons Daemon to start WildFly as the root user and then quickly downgrade the WildFly process to the WildFly user. I prefer the second option which is port forwarding.
Port forwarding will direct traffic from one port to another. In it's general form, this can extend beyond the server itself to other machines. In my case, I'm simply direction 80 to 8080 and 443 to 8443.
# sudo firewall-cmd --zone=public --add-masquerade # sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 # sudo firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443
I ran a command to set up IP masquerading. This is for allowing an internal LAN server to be pretend to be the public IP. I'm not sure if it's specifically needed since I'm dealing with just the server itself.
This article presented some firewalld commands I use when setting up WildFly for public access. While 8080 and 8443 are almost standard, this technique will produce simpler URLs that document better.
By Carl Walker
President and Principal Consultant of Bekwam, Inc