On Debian 13:
sudo apt update
sudo apt install openjdk-17-jdk
On RHEL 10:
sudo dnf install java-17-openjdk-devel
Verify:
java -version
sudo useradd --system --home /opt/jetty --shell /usr/sbin/nologin jetty
cd /tmp
curl -LO https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-home/12.1.6/jetty-home-12.1.6.tar.gz
sudo mkdir -p /opt/jetty
sudo tar -xzf jetty-home-12.1.6.tar.gz -C /opt/jetty --strip-components=1
sudo chown -R jetty:jetty /opt/jetty
If the download URL changes, grab the latest jetty-home archive from the Jetty download page.
sudo mkdir -p /opt/jetty-base
sudo chown -R jetty:jetty /opt/jetty-base
sudo -u jetty /bin/sh -c 'cd /opt/jetty-base && /usr/bin/java -jar /opt/jetty/start.jar --add-to-start=server,http'
sudo tee /etc/systemd/system/jetty.service >/dev/null <<'SERVICE'
[Unit]
Description=Eclipse Jetty Web Server
After=network.target
[Service]
Type=simple
User=jetty
Group=jetty
Environment=JETTY_HOME=/opt/jetty
Environment=JETTY_BASE=/opt/jetty-base
Environment=JAVA_HOME=/usr/lib/jvm/java-17-openjdk
WorkingDirectory=/opt/jetty-base
ExecStart=/usr/bin/java -jar /opt/jetty/start.jar
Restart=on-failure
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=full
ProtectHome=true
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
LockPersonality=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
SystemCallArchitectures=native
CapabilityBoundingSet=
AmbientCapabilities=
[Install]
WantedBy=multi-user.target
SERVICE
Note: On Debian, you may need to set JAVA_HOME to /usr/lib/jvm/java-17-openjdk-amd64.
If your app needs write access outside /opt/jetty-base, add ReadWritePaths= entries to the service.
Stronger hardening (optional). This limits system access and may require ReadWritePaths for logs or uploads. If Jetty fails to start, remove or relax these:
ProtectSystem=strict
PrivateDevices=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectProc=invisible
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictFileSystems=ext4 xfs
UMask=0077
Enable and start:
sudo systemctl daemon-reload
sudo systemctl enable --now jetty
On UFW:
sudo ufw allow 8080/tcp
On firewalld:
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload
Open http://SERVER_IP:8080 in your browser.
JETTY_BASE.Do you need help or support for Jetty? Feel free to contact us!