haproxy is awesome

Me & the boys serving http on the boob port

The docker image you just set the port like any other program.

Vaulwarden does this and I'm really frustrated that I have to cap_add NET_BIND_SERVICE in my rootless setup just to make my password server run.

Unless I am missing some obvious setting:
Restricted Kubernetes doesnt work like that. You have to run the container with a non-root UID (usually something upwards of a million). Non-root users however can't reserve ports below 1025. Nextcloud builds on the default php-apache image which comes with the default apache ports.conf (Listen 80).

So now this has to be overwritten either by making a custom build (which may require creating a custom build pipeline) or by mounting a new config file (e.g. via ConfigMap) else it wont start. Both are an additional update risk which now has to be documented and checked before updating in addition to changes from the normal nextcloud changelog.

Similiar issues probably appear with rootless docker/podman unless you add extra capabilities, which is not possible in restricted kubernetes settings.

I like 6969

I'd suckle that server

I know nothing about k8s, just started with a homelab using primarily docker in an Ubuntu LXC in proxmox and have been using the nextcloud image via docker compose on a different port by simply editing the compose to outwardly point to a different port, inside the docker container my understanding is it all still uses port 80, thereby causing no further issues with the application.

You also see a fair bit of 8001 iirc

Welcome to the community then For rootful Docker you are correct - the inside port can be 80 and you can expose it on whatever port you want (ideally you expose it only via reverse proxy and not by port - I can recommend Caddy-Docker-Proxy for that)

I use Traefik already, but thank you!

Also a great choice

Got me curious on rootless vs root docker, there's so much.

If you're using a reverse-proxy, why bother mapping ports at all?

Absolutely, it is not necessary if the proxy can reach the service in other ways (e.g. a shared network). Some non-http services don't like to be proxied though. Some constellations where the proxy is not on the same host as the containers may also make it necessary. My answer was based on the possibility to not have the same inside/outside port, not necessarily the need though

Since rootless docker is (mostly) a security improvement, here is a interesting list of other Docker realted security tips I like to consult: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

Can't use 80 or 8080? Lets use 12380!

Are you sure you need that? I just added a —user to the docker run and it started just fine on port 80 in the container.

That’s because 8080 is the official unprivileged alternative port for 80, the HTTP port. Web developers are usually using HTTP, so this makes perfect sense. If it supports HTTPS, then 8443, though that one isn’t official.

I run a few open source server projects, and they usually default to 8080 for this reason. I have one that uses 8888, and that’s only because it’s meant for temporary ad-hoc servers.

I’m working on an SFTP server, and it will use 2222, because that’s the most common unprivileged alternative port. There is no official alternative for SSH.

I prefer the secure version, boobs.