Linux Security

When running Mango on Linux, it is generally desirable to expose the web interface on ports 80 (HTTP) and 443 (HTTPS), which require privileged access. Rather than running Mango as root (which is a security risk), the recommended approach is to run Mango as a dedicated non-root user and use iptables to redirect traffic from the privileged ports to Mango's unprivileged ports.

Overview

The recommended setup involves three steps:

Create a dedicated mango user and install Mango under that user account.
Configure Mango to listen on unprivileged ports (8080 and 8443).
Set up iptables rules to forward traffic from ports 80 and 443 to ports 8080 and 8443.

This approach follows the security principle of least privilege: the Mango process runs with only the permissions it needs, reducing the potential impact of any security vulnerability.

Step 1: Create a Dedicated User

Create a system user named mango with its own home directory:

sudo useradd -r -m -d /opt/mango -s /bin/bash mango

Unzip or install the Mango core into the desired location as the mango user:

sudo -u mango unzip mango-core-*.zip -d /opt/mango

Ensure that all Mango files and directories are owned by the mango user:

sudo chown -R mango:mango /opt/mango

Step 2: Configure Mango Ports

Edit the mango.properties file (typically at /opt/mango-data/mango.properties) to configure Mango to listen on unprivileged ports:

web.port=8080
web.host=0.0.0.0

ssl.on=true
ssl.port=8443

These ports (8080 and 8443) do not require root privileges, so the mango user can bind to them directly.

Step 3: Configure iptables Port Forwarding

IPv4 Rules

Set up iptables rules to redirect incoming traffic from the standard web ports to Mango's configured ports:

# Redirect external traffic from port 80 to 8080
sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

# Redirect external traffic from port 443 to 8443
sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

# Redirect localhost traffic from port 80 to 8080
sudo iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

# Redirect localhost traffic from port 443 to 8443
sudo iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

The PREROUTING rules handle traffic arriving from external sources, while the OUTPUT rules handle traffic originating from the local machine (e.g., when accessing http://localhost).

IPv6 Rules

If your server supports IPv6, set up equivalent rules for IPv6 traffic:

# Redirect external IPv6 traffic
sudo ip6tables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
sudo ip6tables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

# Redirect localhost IPv6 traffic
sudo ip6tables -t nat -A OUTPUT -d ::1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
sudo ip6tables -t nat -A OUTPUT -d ::1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

Persisting iptables Rules

By default, iptables rules are lost when the server reboots. To persist them across reboots:

On most Linux distributions (CentOS, RHEL, Fedora):

sudo service iptables save
sudo service ip6tables save

On Amazon Linux 2:

The default service iptables save command may not work. Install the iptables-services package first:

sudo yum install iptables-services
sudo systemctl enable iptables
sudo systemctl enable ip6tables
sudo service iptables save
sudo service ip6tables save

On Debian/Ubuntu:

Install the iptables-persistent package:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

Running Mango as a systemd Service

To ensure Mango starts automatically on boot and runs under the mango user, create a systemd service file:

sudo nano /etc/systemd/system/mango.service

Add the following content:

[Unit]
Description=Mango Automation
After=network.target

[Service]
Type=forking
User=mango
Group=mango
WorkingDirectory=/opt/mango
ExecStart=/opt/mango/bin/start-mango.sh
ExecStop=/opt/mango/bin/stop-mango.sh
PIDFile=/opt/mango-data/ma.pid
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable mango
sudo systemctl start mango

Additional Security Measures

File Permissions

Ensure that sensitive configuration files are only readable by the mango user:

chmod 600 /opt/mango-data/mango.properties
chmod 700 /opt/mango-data/certificates/

The mango.properties file may contain database credentials and other sensitive information. Restricting read access prevents other users on the system from viewing this data.

Firewall Configuration

In addition to port forwarding, consider restricting which ports are accessible from the network. Use iptables or firewalld to allow only the ports your deployment needs:

# Allow HTTP and HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow gRPC if used
sudo iptables -A INPUT -p tcp --dport 9090 -j ACCEPT

# Allow SSH for administration
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Drop all other incoming traffic
sudo iptables -A INPUT -j DROP

SELinux Considerations

If SELinux is enabled on your system (common on RHEL/CentOS), you may need to configure it to allow Mango to bind to its ports and access its data directories. Check the SELinux audit log for denials:

sudo ausearch -m AVC -ts recent

If SELinux is blocking Mango operations, you can create a custom policy module or adjust the SELinux booleans as needed. Avoid disabling SELinux entirely in production.

Limit Resource Usage

Consider using systemd resource limits to prevent Mango from consuming all system resources in case of a problem:

[Service]
LimitNOFILE=65536
MemoryMax=4G
CPUQuota=80%

These can be added to the systemd service file to cap file descriptors, memory usage, and CPU consumption.

Verifying the Configuration

After completing the setup, verify that everything works:

Check Mango is running as the correct user: ps aux | grep mango
Verify port forwarding: curl -I http://localhost should reach Mango.
Test from an external machine: Access the server's IP on port 80 to confirm external connectivity.
Check iptables rules: sudo iptables -t nat -L -n -v to review active NAT rules.

Troubleshooting

Problem	Cause	Solution
Mango cannot bind to port 443 (or port 80)	Non-root processes cannot bind to ports below 1024 on Linux	Do not run Mango as root. Instead, use the iptables port forwarding approach described above (redirect 443 to 8443). Alternatively, use `setcap` to grant the Java binary the capability to bind privileged ports: `sudo setcap 'cap_net_bind_service=+ep' /path/to/java`. The iptables method is preferred because `setcap` must be re-applied after Java updates.
Permission denied on the data directory	The Mango process user does not own the data files	Check file ownership: `ls -la /opt/mango-data/`. All files and directories should be owned by the `mango` user and group. Fix with: `sudo chown -R mango:mango /opt/mango-data/`. Also verify directory permissions allow the mango user to read and write: `chmod 750 /opt/mango-data/`.
SELinux blocking Mango network connections	SELinux policy does not allow the Mango process to open network sockets or bind to its configured port	Check the audit log for SELinux denials: `sudo ausearch -m AVC -ts recent`. Create a custom SELinux policy to allow the denied operations: `sudo audit2allow -a -M mango-policy && sudo semodule -i mango-policy.pp`. Alternatively, set the correct SELinux context on the Mango port: `sudo semanage port -a -t http_port_t -p tcp 8443`. Do not disable SELinux entirely in production.
Mango service fails to start on boot	The systemd service file has incorrect paths, user, or permissions	Check the service status: `sudo systemctl status mango`. Review the journal for errors: `sudo journalctl -u mango -e`. Verify the `ExecStart` path points to the correct `start-mango.sh` script, the `User` and `Group` fields match the Mango installation owner, and the `WorkingDirectory` exists.
iptables rules lost after reboot	The rules were not persisted using the appropriate method for the distribution	Install the persistence package for your distribution and save the rules. On Debian/Ubuntu: `sudo apt-get install iptables-persistent && sudo netfilter-persistent save`. On RHEL/CentOS: `sudo yum install iptables-services && sudo service iptables save`. See the "Persisting iptables Rules" section above for distribution-specific instructions.
SSH locked out after applying firewall rules	The iptables DROP rule was applied before the SSH ACCEPT rule, or SSH was not included in the allowed ports	If you still have console access (physical or cloud provider console), add the SSH rule: `sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT`. Always add ACCEPT rules before any DROP rules. Test SSH connectivity before adding the final DROP rule.

Configuring Mango Properties — Configure mango.properties securely with environment variables for sensitive values
SSL with Certbot — Obtain free SSL certificates from Let's Encrypt for HTTPS
Reverse Proxy Configuration — Run Mango behind Nginx or Apache for additional security
Linux Diagnostic Information — JDK diagnostic tools for troubleshooting Mango on Linux
Content Security Policy — Add browser-level security headers to the Mango web server

Overview​

Step 1: Create a Dedicated User​

Step 2: Configure Mango Ports​

Step 3: Configure iptables Port Forwarding​

IPv4 Rules​

IPv6 Rules​

Persisting iptables Rules​

Running Mango as a systemd Service​

Additional Security Measures​

File Permissions​

Firewall Configuration​

SELinux Considerations​

Limit Resource Usage​

Verifying the Configuration​

Troubleshooting​

Related Pages​