Comments (7)
routerino
commented on May 20, 2024
It seems odd that kubernetes would care that a container exposes lower ports, since the port mapping can be arbitrary. The container runs as an unprivileged user.
Yes, by default the container copies the Caddyfile to /data/Caddyfile, you can put in a custom one there to do whatever you like. You can see the startup script here and default Caddyfile here
I'll add an environment variable to change the port next release.
from headscale-ui.
lorenzo95
commented on May 20, 2024
Oh sorry, no. Kubernetes doesn't care about the port. It cares about the requirement of the root permission that is needed with any port under 1024.
Basically, a user without root privileges can't run caddy on port 443. That is no different from any other linux.
Kubernetes will go in and say... hey, this requires root privileges to run so I won't start your container.
I'll give a caddyfile a shot. If I get it working I'll post it.
from headscale-ui.
routerino
commented on May 20, 2024
@lorenzo95 the new release is out now, can you set an env variable for a custom port and see if it fixes your problem? see here
from headscale-ui.
lorenzo95
commented on May 20, 2024
Not all the way yet, no.
It still opens port 80 for acme http verification. I disabled all that and moved the port. Here is my caddyfile that works with the kubernetes baseline security policy enforced:
http://{$DOMAIN}:8080 {
tls {
issuer acme {
disable_http_challenge
disable_tlsalpn_challenge
}
}
redir / /web
uri strip_prefix /web
file_server {
root /web
}
}
And then I just pass DOMAIN as an env variable. There might be easier ways but it's my first time using caddy.
Of course self signed certs could stay enabled, that doesn't really interfere with anything.
Here is a link to what I keep referring to in case someone thinks I am crazy ;)
Pod Security Standards
from headscale-ui.
routerino
commented on May 20, 2024
Not all the way yet, no.
It still opens port 80 for acme http verification. I disabled all that and moved the port. Here is my caddyfile that works with the kubernetes baseline security policy enforced:
http://{$DOMAIN}:8080 { tls { issuer acme { disable_http_challenge disable_tlsalpn_challenge } } redir / /web uri strip_prefix /web file_server { root /web } }And then I just pass DOMAIN as an env variable. There might be easier ways but it's my first time using caddy. Of course self signed certs could stay enabled, that doesn't really interfere with anything.
Here is a link to what I keep referring to in case someone thinks I am crazy ;) Pod Security Standards
Ah, I see. caddy opens up port 80 even if port 80 isn't being used by the configuration. That should be a simple adjustment, just default the HTTP port to 8080 and otherwise ignore it.
from headscale-ui.
routerino
commented on May 20, 2024
Fixed with 657d929
from headscale-ui.
routerino
commented on May 20, 2024
@lorenzo95 the new docker container can set ports for both http and https via environment variables, no custom caddyfile required.
from headscale-ui.
Related Issues (20)
- Headscale URL & API Key HOT 3
- Proxy Settings "Nginx Proxy Manager" web UI HOT 28
- please delete HOT 6
- ACL support ? HOT 2
- Rename Machine into Node HOT 11
- accessing headscale server on same lan over http (not https) HOT 2
- Feature Request: Show assigned user of machine in the Device View HOT 2
- Trying to deploy the "static site" but failing HOT 2
- nginx proxy location config help HOT 3
- CORS is not working HOT 2
- WebUI Login Security by Authentik or Token HOT 5
- Ionscale support? HOT 2
- I encountered an error when adding the key HOT 4
- 404 on GET https://<domain>/api/v1/machine HOT 2
- Device view fails (tested with headscale docker image 0.23.0) HOT 2
- House Keeping
- Fix developer image pipeline
- Remove Dynamic API check in future version HOT 1
- An error when test server key HOT 1
- New Container start HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from headscale-ui.