sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Allow haproxy to bind to ports 80/443

Browse source 
This way we can run haproxy as an unprivileged user and still use what
is normally considered privileged ports.
This commit is contained in:
Patrik Lundin 2024-10-11 13:49:04 +02:00
parent 1247c7f0be
commit 4d7283e361
Signed by: patlu
GPG key ID: A0A812BA2249F294
2 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
View file

@ -39,6 +39,20 @@ class cdn::cache(
content => template('cdn/cache/varnish-slash-seccomp.json.erb'), content => template('cdn/cache/varnish-slash-seccomp.json.erb'),
} }
$sysctl_file = '/etc/sysctl.d/99-cdn-cache.conf'
file { $sysctl_file:
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => template('cdn/cache/sysctl.erb'),
}
# Load the sysctl file if it has changed
exec { "sysctl -p ${sysctl_file}":
subscribe => File[$sysctl_file],
refreshonly => true,
}
if $cache_secrets { if $cache_secrets {
$customers.each |String $customer, Integer $customer_uid| { $customers.each |String $customer, Integer $customer_uid| {
if $cache_secrets['customers'][$customer] { if $cache_secrets['customers'][$customer] {

2
global/overlay/etc/puppet/modules/cdn/templates/cache/sysctl.erb vendored Normal file
View file

@ -0,0 +1,2 @@
# Allow haproxy to bind to port 80 and 443 when running as unprivileged user
net.ipv4.ip_unprivileged_port_start=80