Running HTTP Gateway Processes as a Non-Root User

You can run HTTP Gateway as a non-root user.

About this task

Important:
  • The changes in this procedure does not persist on upgrade. You need to perform the same operations after each upgrade of HTTP Gateway.
  • Running processes as a non-root user prevents HTTP Gateway from listening on a privileged TCP port (1-1023). This may not be a problem if HTTP Gateway is located behind a load-balancer that binds to 443 and redirects to HTTP Gateway on an unprivileged port.

Procedure

  1. As the root user, stop the aspera_httpgateway service: 
     service aspera_httpgateway stop
    For a systemd OS, run:
     systemctl stop aspera_httpgateway
  2. Create a system user, such as httpgateway, that you want to run the aspera_httpgateway and ascp processes.
  3. Create a system group, such as httpgateway, and add the user to it.
  4. Change the HTTP Gateway config folder permissions:
    Using the httpgateway group as an example:
    $ chown root:httpgateway /opt/aspera/httpgateway/config
$ chmod 775 /opt/aspera/httpgateway/config
  5. Check if the http-gateway.pid files exists at:

    /opt/aspera/httpgateway/config/http-gateway.pid

    If it exists, delete the file.
  6. Change the permissions of the directory defined in transferconfig.source_file_list_tmpdir (default is /opt/aspera/httpgateway/SendFileListDir) in the gatewayconfig.properties file:
    Using the httpgateway group and the default directory as an example:
    $ chown root:httpgateway /tmp/SendFileListDir
$ chmod 775 /tmp/SendFileListDir
  7. Change the permissions of the log directory defined in ascpconfig.log_dir (default is /opt/aspera/httpgateway/aspera/log) in the gatewayconfig.properties file:
    Using the httpgateway group and the default log directory as an example:
    $ chown root:httpgateway /opt/aspera/httpgateway/aspera/log
$ chmod 775 /opt/aspera/httpgateway/aspera/log
  8. Edit the /etc/systemd/system/multi-user.target.wants/aspera_httpgateway.service file:
    Find the line:
    ExecStart=/bin/bash -ce "/opt/aspera/httpgateway/aspera-httpgateway start > /opt/aspera/httpgateway/httpgateway.log 2>&1"
    Replace the line with:
    ExecStart=/bin/bash -ce "sudo -u httpgateway /opt/aspera/httpgateway/aspera-httpgateway start > /opt/aspera/httpgateway/httpgateway.log 2>&1"
  9. Start the aspera_httpgateway service: 
     service aspera_httpgateway start
    For a systemd OS, run:
     systemctl start aspera_httpgateway