Blogs‎ > ‎

OSX 10.7 lion server still uses port 80 and 443 even when not hosting websites

posted Dec 17, 2011, 7:13 PM by Ian Curtinsmith   [ updated Dec 17, 2011, 11:08 PM ]
So about now you have had no choice as that mac mini server you got will not run anything but 10.7 server and kicking and screaming you enter the world of 10.7 lion server.

Straight off the bat, if you don't have to run 10.7 server, don't ! There are major issue's and of this post "10.7.2 was out" so many things were not fit for production, not to mention the fact 10.7 server no longer does print services,  ftp, pptp vpn, mysql, tomcat, axis, or QTSS, Work around's for some of these perhaps in another post, but almost all require a high level of command line experience.

But I will concentrate on one of the shortfalls you will face. Apache which is the built in web service built into 10.7 lion server. The catch here is it is ALWAYS on. Even if you turn off web sharing in the server tools going to https://127.0.0.1 or http://127.0.0.1 will still give you a simple webpage. 

The issue here is that no matter what you do ports 80 and 443 are still in use. This becomes a very big issue when installing 3rd party programs on the server that need these ports. Examples include Filemaker Server with web-hosting or Kerio Connect that uses these ports for active-sync and webmail. These programs will not operate correctly as they will complain that the port is already in use.

Kerio have release a Knowledge base article at http://kb.kerio.com/article/cannot-start-http-services-on-os-x-lion-server-636.html that tells you how to get around the problem

Simply put as of 10.7.2 server the only options you really have is to turn off the apache server on lion server via the terminal so that other programs will work that need these ports.

In the terminal program type 

sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

From that point on the pre-installed version on apache will no longer load at boot.

There are some big downside to this. Wiki's will no longer work, profile manager will not work, and you can't run any other websites on the server using Apples built in web service

If you ever need to reverse what you have done, in the terminal type

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

There are other ways you can approach this, be no "real" solution

* Change the ports on the filemaker server or kerio mail server to a non standard port. But that means manually defining the ports when checking email or loading a website. Example Https to 8843

* Change the ports as above coupled with inbound port mapping on the firewall. Example, map port 443 on firewall to 8443 on the lion server. This has some drawbacks if your firewall can't do mapped IP's. That is if your firewall is using NAT to forward an port from the external IP of your firewall to the internal IP of your server and you can't type inside your network the external IP of the firewall and reach the internal IP being mapped to this will cause you issues. The end result may be external people can reach the mail server at https://203.5.xxx.xxx but internal people on the local network can't so have to use https:/192.168.1.1:8443. This is not ideal at all as you don't want to reconfigure your mail program each time you leave the office

* Look at setting up a proxy server that forwards requests. This is actually a nice solution when you need apple's services to run as well, but it is not 100% working solution. Example includes Entourage that has issues sending email using port 443 behind a proxy. Someone has already created a nice how to guide here https://grahamgilbert.com/2011/11/kerio-connect-vs-web-servies-in-lion-server/

* Manually modify the apache configs in lion and discontinue the use of any gui. See http://support.apple.com/kb/HT4813

Quick synopsis :

Currently you really only have 2 choices if you want to run 3rd party services such as Kerio Connect and won't it to 100% work

1) Turn off Apple's web service and no longer use Apple's services
2) Start brushing up on your hard core command lines and no longer use Apple's GUI interface and do everything from hand

If anyone else thinks it's strange that a server product that is far cheaper to purchase now and was meant to be pitched at the entry level mum and dad market share is now actually harder to setup and requires a far greater understanding of the way servers work, you are not alone :)



Comments