Consider this common scenario:
8080/8443so you utilise common URLs without ports
novluaand therefore can not bind as 80 or 443
This presents a challenge, especially if you wish to use the SuSEfirewall2.
If you correctly edit the
/etc/sysconfig/SuSEfirewall2 file and add the
FW_REDIRECT="0/0,0/0,tcp,80,8080 0/0,0/0,tcp,443,8443", the client access appears to fine until you authenticate, at which point you receive this error:
Turning on debugging in OSP (
-Dcom.netiq.idm.osp.logging.level=DEBUG) does not help as its purely a network communication issue and as a result there is no useful output.
FW_REDIRECT only sets the
PREROUTING table entries, but even manually setting the
OUTPUT table entries (see below) doesn't help as SuSEfirewall2 mangles it completely.
The reason for this is the apps will communicate with each other to validate issued tokens and, when this occurs, the SuSEfirewall2 treats this as "internal" communications therefore does not go through the SuSEfirewall2 (which is a wrapper for iptables).
There are few options to work around this issue.
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443 iptables -t nat -I OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -I OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8443