cross-posted from: https://programming.dev/post/39212874
I recently migrated my services from rootful
dockerto rootlesspodman quadlets. It went smoothly, since nothing I use actually needs to be rootful. Well, except forcaddy. It needs to be able to attach to privileged ports 80 and 443.My current way to bypass it is using
HAProxyrunning as root and forwarding connections using proxy protocol. (Tried to usefirewalldbut that makes the client IP opaque tocaddy.) But that adds an extra layer, which means extra latency. It’s perfectly usable, but I’d like to get rid of it, if possible.I’m willing to run
caddyin rootfulpodmanif needed. But from what I understand, that means I can’t have it in the same rootless network as my other containers. I really don’t wanna open most of my containers’ ports, so that’s not an option.So, I’m asking whether any of these three things are possible.
- Use
firewalldto forward ports tocaddywithout obscuring the client’s IP.- Make rootful
caddyshare a network with other rootless containers.- Assign privileged ports to caddy somehow, in rootless mode. (I know there’s a way to make all these ports unprivileged, but is it possible to only assign these 2 ports as unprivileged?)
Or maybe there’s a fourth way that I’m missing. I feel like this is a common enough setup, that there must be a way to do it. Any pointers are appreciated, thanks.
Most people expect a domain to work without adding 8080 as a port number in the URL. Hell, I’d say a majority don’t even know that it’s possible.
You don’t have to add 8080.
You can just remove the restriction if you don’t want it. But that’s just a classical xy problem. OP does not want to use 80 just doesn’t know that he doesn’t want it because he’s looking for something else.
I’m confused. What do you even mean?