Allow haproxy to bind to ports 80/443

This way we can run haproxy as an unprivileged user and still use what is normally considered privileged ports.
2024-10-11 13:49:04 +02:00 · 2024-10-11 13:49:04 +02:00 · 4d7283e361
parent 1247c7f0be
commit 4d7283e361
2 changed files with 16 additions and 0 deletions
--- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
@ -39,6 +39,20 @@ class cdn::cache(
    content => template('cdn/cache/varnish-slash-seccomp.json.erb'),
  }

+  $sysctl_file = '/etc/sysctl.d/99-cdn-cache.conf'
+  file { $sysctl_file:
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cdn/cache/sysctl.erb'),
+  }
+  # Load the sysctl file if it has changed
+  exec { "sysctl -p ${sysctl_file}":
+    subscribe   => File[$sysctl_file],
+    refreshonly => true,
+  }
+
  if $cache_secrets {
    $customers.each |String $customer, Integer $customer_uid| {
      if $cache_secrets['customers'][$customer] {
--- a/global/overlay/etc/puppet/modules/cdn/templates/cache/sysctl.erb
+++ b/global/overlay/etc/puppet/modules/cdn/templates/cache/sysctl.erb
@ -0,0 +1,2 @@
+# Allow haproxy to bind to port 80 and 443 when running as unprivileged user
+net.ipv4.ip_unprivileged_port_start=80