docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon matomo-org

Security consideration; Bind high port instead of 80 in Apache httpd

Open sspreitzer opened this issue 7 years ago • 6 comments

Hi all

Just wanted to point out that it would be better to bind a common high port like 8080 instead of a priviliged port like 80. Also see my other issue (#109) regarding the use of a non-root user.

Benefit: Unprivileged application in userspace.

Thank you Sascha

sspreitzer avatar Jul 26 '18 09:07 sspreitzer

Does this really make much difference in a network namespace sitting on a private (internal) network with a non-public IP?

I'm generally a big fan of https://github.com/moby/moby/issues/8460#issuecomment-312459310, wherein one uses --sysctl net.ipv4.ip_unprivileged_port_start=0 to instruct the kernel that there's no such thing as "privileged" ports since the nature of Docker's operation makes them kind of a moot point and it's trivial to bind from port 8080 on the host to port 80 in a container via something like -p 8080:80 when doing the forwarding.

tianon avatar Jul 30 '18 19:07 tianon

@tianon by default, OpenShift does not allow root nor privileged port. That's why these 2 issues.

Feel free to PR, lately, I have less time to take care of these topics, so I'd be happy to receive help from community, or even if a community members would step in to help maintain this image.

pierreozoux avatar Aug 01 '18 06:08 pierreozoux

Docker and Moby port forwarding is container runtime engine specific. It should be assumed that the contimer runtime could be anything. Choosing a high port is native for applications. Choosing a low system port is uncommon if you are not running system services. In this context we are running an application instead of a system service.

I might try creating a PR if I can find free time to do so. Other volunteers are very welcome.

sspreitzer avatar Aug 14 '18 08:08 sspreitzer

You could also use the FPM container that runs on port 9000.

J0WI avatar Sep 22 '18 13:09 J0WI

I think this is out-of-scope of this image and affects the httpd base image. You can also achieve this by mounting a custom config: https://github.com/docker-library/docs/tree/master/httpd#configuration

J0WI avatar Dec 11 '18 01:12 J0WI

Not out of scope in my opinion. As containers are more frequently deployed in a managed environment, like openshift, this is an unnecessary obstacle. Spent hours trying to do a quick test deploy of this image this week, as our project manager wanted to check it out. Did not expect the the problems I got. Learned the hard way about that restricted ports can't be remapped. Never tried that before as we usually don't use them.

kewi69 avatar Dec 20 '18 20:12 kewi69

Allowing a configurable port number would help users with host networking, who may already have something else running on port 80.

markstos avatar Nov 10 '22 11:11 markstos

Closing due https://github.com/docker-library/php/issues/94

J0WI avatar Nov 26 '22 15:11 J0WI