Running HTTP Gateway processes as a non-root user

Edit online

You can run HTTP Gateway as a non-root user.

About this task

Important:
  • The changes in this procedure do not persist on upgrade. You need to perform the same operations after each upgrade of HTTP Gateway.
  • Running processes as a non-root user prevents HTTP Gateway from listening on a privileged TCP port (1-1023). This may not be a problem if HTTP Gateway is located behind a load-balancer that binds to 443 and redirects to HTTP Gateway on an unprivileged port.
  • When running HTTP Gateway process as a non-root user, you cannot run ascp as another user by configuring ascpconfig.run_as_user and ascpconfig.run_as_group. That configuration only applies when HTTP Gateway is running as root.

Procedure

  1. As the root user, stop the aspera_httpgateway service: 
    service aspera_httpgateway stop
    For a systemd OS, run:
    systemctl stop aspera_httpgateway
  2. Create a system user, such as httpgateway, that you want to run the aspera_httpgateway and ascp processes.
  3. Create a system group, such as httpgateway, and add the user to it.
  4. Change the HTTP Gateway config folder permissions:
    Using the httpgateway group as an example:
    chown root:httpgateway /opt/aspera/httpgateway/config
chmod 775 /opt/aspera/httpgateway/config
  5. Check if the http-gateway.pid files exists at:

    /opt/aspera/httpgateway/config/http-gateway.pid

    If it exists, delete the file.
  6. Change the permissions of the directory defined in transferconfig.source_file_list_tmpdir (default is /opt/aspera/httpgateway/SendFileListDir) in the gatewayconfig.properties file:
    Using the httpgateway group and the default directory as an example:
    chown root:httpgateway /tmp/SendFileListDir
chmod 775 /tmp/SendFileListDir
  7. Change the permissions of the log directory defined in ascpconfig.log_dir (default is /opt/aspera/httpgateway/aspera/log) in the gatewayconfig.properties file:
    Using the httpgateway group and the default log directory as an example:
    chown root:httpgateway /opt/aspera/httpgateway/aspera/log
chmod 775 /opt/aspera/httpgateway/aspera/log
  8. Edit the /etc/systemd/system/multi-user.target.wants/aspera_httpgateway.service file:
    Find the line:
    ExecStart=/bin/bash -ce "/opt/aspera/httpgateway/aspera-httpgateway start > /opt/aspera/httpgateway/httpgateway.log 2>&1"
    Replace the line with:
    ExecStart=/bin/bash -ce "sudo -u httpgateway /opt/aspera/httpgateway/aspera-httpgateway start > /opt/aspera/httpgateway/httpgateway.log 2>&1"
  9. Start the aspera_httpgateway service: 
    service aspera_httpgateway start
    For a systemd OS, run:
    systemctl start aspera_httpgateway