Security consideration; Bind high port instead of 80 in Apache httpd

[sspreitzer]

Hi all

Just wanted to point out that it would be better to bind a common high port like 8080 instead of a priviliged port like 80.
Also see my other issue (#109) regarding the use of a non-root user.

Benefit: Unprivileged application in userspace.

Thank you
Sascha

[tianon]

Does this really make much difference in a network namespace sitting on a private (internal) network with a non-public IP?

I'm generally a big fan of moby/moby#8460 (comment), wherein one uses --sysctl net.ipv4.ip_unprivileged_port_start=0 to instruct the kernel that there's no such thing as "privileged" ports since the nature of Docker's operation makes them kind of a moot point and it's trivial to bind from port 8080 on the host to port 80 in a container via something like -p 8080:80 when doing the forwarding.

[pierreozoux]

@tianon by default, OpenShift does not allow root nor privileged port. That's why these 2 issues.

Feel free to PR, lately, I have less time to take care of these topics, so I'd be happy to receive help from community, or even if a community members would step in to help maintain this image.

[sspreitzer]

Docker and Moby port forwarding is container runtime engine specific. It should be assumed that the contimer runtime could be anything. Choosing a high port is native for applications. Choosing a low system port is uncommon if you are not running system services. In this context we are running an application instead of a system service.

I might try creating a PR if I can find free time to do so. Other volunteers are very welcome.

[J0WI]

You could also use the FPM container that runs on port 9000.

[J0WI]

I think this is out-of-scope of this image and affects the httpd base image.
You can also achieve this by mounting a custom config: https://github.com/docker-library/docs/tree/master/httpd#configuration

[kewi69]

Not out of scope in my opinion. As containers are more frequently deployed in a managed environment, like openshift, this is an unnecessary obstacle.
Spent hours trying to do a quick test deploy of this image this week, as our project manager wanted to check it out.
Did not expect the the problems I got. Learned the hard way about that restricted ports can't be remapped. Never tried that before as we usually don't use them.

[markstos]

Allowing a configurable port number would help users with host networking, who may already have something else running on port 80.

[J0WI]

Closing due docker-library/php#94