Notifications

705 views

 

Run the Edge Encryption proxy server on Linux on a privileged port as a non-privileged user

 

Overview


The Edge Encryption proxy server runs as a service on Windows and as a daemon on Linux. To install the Edge Encryption proxy server on Linux as a daemon and allow it to listen on a privileged port like 443 or 80, you must use authbind. Authbind is a standard Linux binary available for most distros. If using CentOS 6 or below, you will need to manually compile authbind. 

After installing and configuring authbind, you can optionally use the example scripts provided below to automatically start the proxy on startup. 

 

Install authbind and configure the proxy server


  1. Install authbind.
    • To install authbind on Ubuntu and other Debian based systems, run the following command: sudo apt-get install authbind
    • To install authbind on Fedora and other RPM systems, run the following command: sudo yum install authbind
    • CentOS 6 and below does not have a binary available as an RPM. You must compile authbind manually using the instructions in the next section. 
  2. Create the authbind port configuration file for the proxy to use.
  3. Create a file under /etc/authbind/byport named after the port or ports necessary.
    • File path for port 443: /etc/authbind/byport/443
    • File path for port 80: /etc/authbind/byport/80
  4. These files have to be owned by the proxy service user, so change ownership using the following command: chown USER.USER /etc/authbind/byport/443
  5. Restrict file permissions: sudo chmod 500 /etc/authbind/byport/443.
  6. Configure the proxy server properties file to launch on port 80 and/or 443. 
    1. Navigate to <proxy install directory>/conf/edgeencryption.properties
    2. Configure the following properties as needed: 
      • edgeencryption.proxy.http.port
      • edgeencryption.proxy.https.port
  7. Because authbind does not support IPv6, configure the Edge Encryption proxy server wrapper file to use IPv4.
    1. Navigate to <proxy install directory>/conf/wrapper.conf
    2. Add the following to the wrapper.conf file:
      #Authbind only supports IPv4. Do not use IPv6.
      #Use the next available numeral for the following parameter.
      #For example if the previous parameter is numbered wrapper.java.additional.3
      #then this should be numbered wrapper.java.additional.4
      wrapper.java.additional.*=-Djava.net.preferIPv4Stack=true
  8. Launch the Edge Encryption proxy server: authbind --deep ./startup.sh
Tip: To run the proxy server automatically on startup, use the script templates described in Define an Edge Encryption proxy server init.d script. Newer distros tend to use system.d. Legacy systems tend to use init.d. Many distros support both. The init.d method is being phased out by many major distributions.

 

Compile authbind manually for CentOS 6 and below


 If using CentOS 6 or below, you must manually compile authbind. 

  1. Configure a new repository: svn co https://github.com/tootedom/authbind-centos-rpm.git
  2. Make a build folder: mkdir /root/rpmbuild 
  3. Get the authbind source: cp -R authbind-centos-rpm.git/trunk/authbind/* /root/rpmbuild/
  4. Go to the rpmbuild folder and get the authbind TAR ball.
    cd /root/rpmbuild/SOURCES
    wget http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gz 
  5. Rename the TAR ball and build.
    mv authbind_2.1.1.tar.gz authbind-2.1.1.tar.gz
    cd ../
    rpmbuild -v -bb --clean SPECS/authbind.spec

    RPM is built and available at /root/rpmbuild/RPMS/x86_64/authbind-2.1.1-0.1.x86_64.rpm

  6. Install the RPM package.
    cd /root/rpmbuild/RPMS/x86_64/
    rpm -Uvh authbind-2.1.1-0.1.x86_64.rpm

      


Define an Edge Encryption proxy server init.d script 


You can use an init.d script to automatically start the proxy server on startup.

Note: The init.d method is being phased out by many major distributions. Newer distros tend to use system.d. For more information on that method, see Define an Edge Encryption proxy server service file.




  1. Complete the steps in the Install authbind and configure the proxy server section.
  2. Create the following file: /etc/init.d/edge
  3. In the file, define the following script. Change the variables as needed.
    #!/bin/bash

    # This init.d script takes care of starting and stopping
    # the ServiceNow Edge Encryption proxy (edgeencryption).
    #
    # chkconfig: 2345 80 20
    # description: ServiceNow Edge Encryption proxy.
    # processname: jsw, java

    ### BEGIN INIT INFO
    # Provides: edge_proxy
    # Required-Start:
    # Required-Stop:
    # Should-Start:
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: edge_proxy
    # Description: ServiceNow Edge Encryption Proxy
    ### END INIT INFO

    # Source LSB function library.
    . /lib/lsb/init-functions

    # Source networking configuration.
    . /etc/sysconfig/network

    start() {
    # Start Edge Proxy
    #Path to startup.sh script MUST be in double quotes
    /usr/bin/authbind --deep "<PROXY INSTALL DIRECTORY>/proxy-daemon_443/startup.sh"
    } '

    stop() {
    # Stop Edge Proxy
    <PROXY INSTALL DIRECTORY>/proxy-daemon_443/shutdown.sh

    case "$1" in
    start)
    start
    ;;
    stop)
    stop
    ;;
    restart)
    stop
    start
    ;;
    *)
    echo "Usage: $0 {start|stop|restart}"
    esac

    exit 0 
     
  4. Enable the service: sudo update-rc.d edge enable
  5. Start the service: sudo service edge start
  6. Stop the service: sudo service edge stop
  7. Restart the service: sudo service edge restart

 

Define an Edge Encryption proxy server system.d service file


You can use a system.d service file to automatically start the proxy server on startup. 

  1. Complete the steps in the Install authbind and configure the proxy server section.
  2. Create the following file: /etc/systemd/system/edge.service.
    In the file, define the following script. Change the variables as needed.
    # This unit file takes care of starting and stopping
    # the ServiceNow Edge Encryption proxy (edgeencryption).

    # Make sure it launches after MySQL.
    # Necessary if you use tokenization.
    [Unit]
    After=mysql.service

    # Service type is forking since the startup script forks off
    # other processes.
    # Replace USER_NAME with your service user.
    [Service]
    Type=forking
    User=USER_NAME

    # Set the path to your startup and shutdown scripts, inclusive.
    # Path to startup.sh script MUST be in double quotes
    ExecStart=/usr/bin/authbind --deep "/PATH/TO/YOUR/PROXY/INSTALL/startup.sh"
    ExecStop=/PATH/TO/YOUR/PROXY/INSTALL/shutdown.sh

    SyslogIdentifier=edge_proxy

    # Define restart behavior.
    # Choices are: no, on-success, on-failure, on-abnormal, on-watchdog, on-abort, or always.

    # "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
    Restart=always
    RestartSec=4

    # Launch the service when in multi-user mode.
    [Install]
    WantedBy=multi-user.target
  3. Enable the service: sudo systemctl enable edge.service
  4. Reload daemon: sudo systemctl daemon-reload
  5. Start the service: sudo systemctl start edge.service
  6. Stop the service: sudo systemctl stop edge.service

 

 

Article Information

Last Updated:2017-10-16 13:17:54
Published:2017-06-09