If you're using a reverse-proxy, why bother mapping ports at all?

Absolutely, it is not necessary if the proxy can reach the service in other ways (e.g. a shared network). Some non-http services don't like to be proxied though. Some constellations where the proxy is not on the same host as the containers may also make it necessary. My answer was based on the possibility to not have the same inside/outside port, not necessarily the need though

Since rootless docker is (mostly) a security improvement, here is a interesting list of other Docker realted security tips I like to consult: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

Can't use 80 or 8080? Lets use 12380!

Are you sure you need that? I just added a —user to the docker run and it started just fine on port 80 in the container.

That’s because 8080 is the official unprivileged alternative port for 80, the HTTP port. Web developers are usually using HTTP, so this makes perfect sense. If it supports HTTPS, then 8443, though that one isn’t official.

I run a few open source server projects, and they usually default to 8080 for this reason. I have one that uses 8888, and that’s only because it’s meant for temporary ad-hoc servers.

I’m working on an SFTP server, and it will use 2222, because that’s the most common unprivileged alternative port. There is no official alternative for SSH.

I prefer the secure version, boobs.

Haproxy is great, but setup is hard. It’s more for load balancing than being an easy reverse proxy.

4200 or 10420 too

I'm using podman, and I don't like the practice of unnecessarily setting UIDs. NET_BIND_SERVICE is exactly the flag it needs to set port 80 and it doesn't potentially complicate accessing the files for maintenance. Does your system have SELinux? If not, that might be why you don't need it lol.