Bind icinga2 daemon to privileged port

sirio81 · April 12, 2019, 12:53pm

Hi, by default icinga2 daemon runs on port 5665.
In rare cases it might be required to run icinga2 daemon on a privileged port (<1024).
If you try to do so:

/etc/icinga2/features-available/api.conf
object ApiListener “api” {
bind_port = 443

it will fail to reload the daemon because icinga2 daemon runs with a non root user (ie. nagios) that can bind only to ephemeral ports.

critical/ApiListener: Cannot add listener on host ‘’ for port ‘443’.

I know it’s nasty, but is it possible to bind icinga2 daemon to a port < 1024 without changing daemon user?
If yes, what’s the best way?

Thank you.

dnsmichi · April 12, 2019, 12:59pm

No, that’s not supported. Running Icinga with root permissions opens up many attack vectors, none of your services should do that unless they were built for it.

If you require e.g. 5665 for https, put an HTTP proxy up front which forwards that onto 443. Doing that with Apache or Nginx works perfectly fine.

Cheers,
Michael

sirio81 · April 12, 2019, 1:22pm

Thank you for your reply.
The best workaround I found is this (on linux master):

iptables -t nat -A PREROUTING -i ens18 -p tcp --dport 443 -j REDIRECT --to-port 5665

I’d like to share anyway this post that suggest the use systemd directive "
AmbientCapabilities=CAP_NET_BIND_SERVICE".
That should give the ability for the service to bind a privileged port without running as root user or doing other tricks.
For it to work there must be support on the program/daemon side.

dnsmichi · April 12, 2019, 1:34pm

Thanks, but as you already figured, I don’t want to support such default port changes anyways. The best support you can get is with keeping the defaults, and reproducible. An HTTP proxy in the middle is far more easy to debug than iptables imho

Cheers,
Michael

sirio81 · April 12, 2019, 1:42pm

I’ll test that as well.
Thank you.