Bind icinga2 daemon to privileged port

Hi, by default icinga2 daemon runs on port 5665.
In rare cases it might be required to run icinga2 daemon on a privileged port (<1024).
If you try to do so:

object ApiListener “api” {
bind_port = 443

it will fail to reload the daemon because icinga2 daemon runs with a non root user (ie. nagios) that can bind only to ephemeral ports.

critical/ApiListener: Cannot add listener on host ‘’ for port ‘443’.

I know it’s nasty, but is it possible to bind icinga2 daemon to a port < 1024 without changing daemon user?
If yes, what’s the best way?

Thank you.

No, that’s not supported. Running Icinga with root permissions opens up many attack vectors, none of your services should do that unless they were built for it.

If you require e.g. 5665 for https, put an HTTP proxy up front which forwards that onto 443. Doing that with Apache or Nginx works perfectly fine.


Thank you for your reply.
The best workaround I found is this (on linux master):

iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 443 -j REDIRECT --to-port 5665

I’d like to share anyway this post that suggest the use systemd directive "
That should give the ability for the service to bind a privileged port without running as root user or doing other tricks.
For it to work there must be support on the program/daemon side.

Thanks, but as you already figured, I don’t want to support such default port changes anyways. The best support you can get is with keeping the defaults, and reproducible. An HTTP proxy in the middle is far more easy to debug than iptables imho :slight_smile:


I’ll test that as well.
Thank you.