...
| Note |
|---|
These pages are examples and do not reflect any normative requirements or assumptions on the part of the IdP software and may be a mix of suggestions from both the project team and deployers. You should take any of this advice with a grain of local salt and consider general security/deployment considerations appropriate to the use of web software in your local environment. The official information about containers and versions we support is solely maintained on the SystemRequirements page. If you wish to operate without complete responsibility for your Java servlet container, you may consider the Windows package we provide that installs a version of Jetty with very limited configurability. |
...
One challenge remains that if you want to use standard ports on Linux, you would need to pick one of these options to avoid running as root:
Use the setuid extension module to support listening on the privileged ports as a non-root user. This extension is now JNA-based and is seems to be undocumented at this point, and has not yet been triedbut works fine.
Use a port forwarding approach (load balancer, iptables rules, etc).
Adjust the range of ports considered privileged if supported by your Linux kernel.
Use POSIX capabilities to allow use of priviledged ports by an unpriviledged process, e.g. when using systemd by setting
AmbientCapabilities=CAP_NET_BIND_SERVICE
...