ldez
commented
5 years ago I propose to you, to discuss about that point into the issue #38.
thank you for your time and interest :+1:
Closed GauntletWizard closed 5 years ago
ldez
commented
5 years ago I propose to you, to discuss about that point into the issue #38.
thank you for your time and interest :+1:
westurner
commented
5 years ago Why did you close this as invalid?
westurner
commented
5 years ago When I create a similar container (With USER specified before CMD) and change the http and https entrypoint ports to 8080 and 8443 and map those ports in the compose file (443:8443, 80:8080), redirects are broken because domain:80 -> domain:8443 instead of domain:80 -> domain:443. ACME also expects only 80 and 443.
I can't just specify additional entrypoints for 80 and 443, because those can't bind without root.
Does there need to be an additional config setting for when >1024 ports are mapped with docker -- so that redirects work -- or am I doing this wrong / did you ever get this to work with redirects and ACME?
dealboy
commented
5 years ago Having similar requirements for security reasons, we also investigate the non-root options.
@westurner : Can you please clarify a bit more what breaks in your approach? (the redirection break you mention is not clear, is it because of ACME usage, or because of a [entryPoints.http.redirect] in your toml)
ldez
commented
5 years ago I propose to you, to discuss about that point into the issue #38.
thank you for your time and interest :+1:
Do you want to request a feature or report a bug?
Feature
What did you do?
Ran Traefik with a Kubernetes Pod Security Policy disallowing running containers as root. It did not start.
What did you expect to see?
Traefik would run without issue
What did you see instead?
Traffik would not start. The image runs as root - Running with a specified user does not work because it attempts to bind port 80. With a custom configuration that does not bind port 80, however, the image runs just fine.
This change alters the image to expose port 8080 instead, and adds a USER stanza to not run as root. This is a breaking change for many users, and would require significant announcement - I'm proposing it as a discussion topic rather than as an immediate merge target.