Hi, by default icinga2 daemon runs on port 5665.
In rare cases it might be required to run icinga2 daemon on a privileged port (<1024).
If you try to do so:
No, that’s not supported. Running Icinga with root permissions opens up many attack vectors, none of your services should do that unless they were built for it.
If you require e.g. 5665 for https, put an HTTP proxy up front which forwards that onto 443. Doing that with Apache or Nginx works perfectly fine.
I’d like to share anyway this post that suggest the use systemd directive " AmbientCapabilities=CAP_NET_BIND_SERVICE".
That should give the ability for the service to bind a privileged port without running as root user or doing other tricks.
For it to work there must be support on the program/daemon side.
Thanks, but as you already figured, I don’t want to support such default port changes anyways. The best support you can get is with keeping the defaults, and reproducible. An HTTP proxy in the middle is far more easy to debug than iptables imho