this post was submitted on 17 Oct 2025
4 points (75.0% liked)

Container platforms (docker, lxc, podman)

445 readers
3 users here now

A place to discuss everything related to Container platforms and runtimes. Docker, LXC, Podman, OpenShift, OCI, and more.

founded 2 years ago
MODERATORS
shertson@lemmy.world
4
Assign privileged port to caddy running with rootless podman (programming.dev)
submitted 1 month ago* (last edited 1 month ago) by SinTan1729@programming.dev to c/containers@lemmy.world
4 comments fedilink hide all child comments
 

I recently migrated my services from rootful docker to rootless podman quadlets. It went smoothly, since nothing I use actually needs to be rootful. Well, except for caddy. It needs to be able to attach to privileged ports 80 and 443.

My current way to bypass it is using HAProxy running as root and forwarding connections using proxy protocol. (Tried to use firewalld but that makes the client IP opaque to caddy.) But that adds an extra layer, which means extra latency. It's perfectly usable, but I'd like to get rid of it, if possible.

I'm willing to run caddy in rootful podman if needed. But from what I understand, that means I can't have it in the same rootless network as my other containers. I really don't wanna open most of my containers' ports, so that's not an option.

So, I'm asking whether any of these three things are possible.

  1. Use firewalld to forward ports to caddy without obscuring the client's IP.
  2. Make rootful caddy share a network with other rootless containers.
  3. Assign privileged ports to caddy somehow, in rootless mode. (I know there's a way to make all these ports unprivileged, but is it possible to only assign these 2 ports as unprivileged?)

Or maybe there's a fourth way that I'm missing. I feel like this is a common enough setup, that there must be a way to do it. Any pointers are appreciated, thanks.

top 4 comments
sorted by: hot top controversial new old
[–] d_k_bo@feddit.org 2 points 1 month ago* (last edited 1 month ago) (1 children)

Tried to use firewalld but that makes the client IP opaque to caddy

How did you set up firewalld to do this?

I am using the following rich rules to forward requests to caddy and caddy can see the client IP.

rule family="ipv4" forward-port port="80" protocol="tcp" to-port="8080"
rule family="ipv4" forward-port port="443" protocol="tcp" to-port="8443"
rule family="ipv4" forward-port port="443" protocol="udp" to-port="8443"
rule family="ipv6" forward-port port="80" protocol="tcp" to-port="8080"
rule family="ipv6" forward-port port="443" protocol="tcp" to-port="8443"
rule family="ipv6" forward-port port="443" protocol="udp" to-port="8443"

Make also sure that masquerade: no is set.

[–] SinTan1729@programming.dev 1 points 1 month ago* (last edited 1 month ago) (1 children)

Masquerade was enabled. I need to keep it enabled, since I use it as a Tailscale exit node. Can I just disable it for incoming connections to 443 and 80? I don't want the client to see the internal network.

[–] d_k_bo@feddit.org 2 points 1 month ago (1 children)

Firewalld seems to support more fine-grained masquerade settings using rich rules, but I don't know more about it.

https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html

[–] SinTan1729@programming.dev 1 points 1 month ago

Interesting, seems like I might be able to make it work.