nginx-gateway-fabric icon indicating copy to clipboard operation
nginx-gateway-fabric copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

Nginx should only listen on ports > 1024

Open sjberman opened this issue 9 months ago • 1 comments
trafficstars

Right now nginx listens on whatever ports are defined in the Gateway listener. However, ports under 1024 are privileged and require the CAP_NET_BIND capability and allowPrivilegeEscalation in order for nginx to be able to listen on them.

For better security posture, we should only configure nginx to listen on ports greater than 1024. We can still allow users to configure their listeners with any port they want (since 80 and 443 are going to be the most common), and we'll configure the nginx Service to listen on those ports, but forward to containerPorts that aren't privileged.

For example:

  listeners:
  - name: http
    port: 80

would result in a Service config like:

ports:
- name: port-80
  port: 80
  protocol: TCP
  targetPort: 20080

where the container and nginx listen on port 20080 for that listener.

Acceptance

  • Listener ports less than 1024 should result in nginx listening on some higher number port that correlates with the defined port
    • this higher port should be defined in such a way to minimize the possibility of collision with a user defined port
  • Listener ports greater than 1024 should be left alone
  • Service ports still match the listener ports
  • If no longer needed, CAP_NET_BIND should be removed and allowPrivilegeEscalation set to false for the nginx deployment

sjberman avatar Jan 29 '25 17:01 sjberman

This issue is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 14 days.

github-actions[bot] avatar Feb 13 '25 02:02 github-actions[bot]

Closing this for now, due to the fix in privileges added recently.

sjberman avatar Aug 18 '25 16:08 sjberman