[SOLVED] Making drone listen on port different than 443

Drone Support
1

Hello,
I am trying to make drone working with HTTPS on host network.
I need to run it on host network (docker run ... --network=host) because I have my gitea instance installed locally and not on docker, so I need drone’s container to be able to reach the host’s ports.
Ports 80 and 443 are already used on the host (by a reverse proxy), so I need drone to listen to some other ports.

If I am using plain HTTP, this works out fine.
I pass the environment variable DRONE_SERVER_PORT=:8082 and drone listens on port 8082 instead of port 80.
It connects to the local gitea instance and it accepts connections to the runners.

If, however, I use HTTPS and provide a certificate and a private key, drone still (tries to) bind port 443, regardless of the content of environment variable DRONE_SERVER_PORT.
Since port 443 is already in use, it fails.

I tried to look at the code, but I am not familiar with golang, and I could not figure out where the problem might be.
I tried to trivially replace the only occurrence of the string 443 with 8082, recompile and create a custom docker image, but it did not work.

I realize the solution would be trivial if I could run drone contained on docker’s network and remap port 443 to some other port, but unfortunately I cannot do that.

This is the command I run to create the container.
If I remove the environment variables DRONE_TLS_CERT and DRONE_TLS_KEY and set DRONE_SERVER_PROTO=http, it correctly binds to port 8082 (obviously without using HTTPS).

docker run \
  --volume=/var/lib/drone:/data \
  --volume=/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
  --volume=/path/to/drone.cert.pem:/etc/certs/drone.cert.pem:ro \
  --volume=/path/to/drone.key.pem.nopasswd:/etc/certs/drone.key.pem.nopasswd:ro \
  --env=DRONE_TLS_CERT=/etc/certs/drone.cert.pem \
  --env=DRONE_TLS_KEY=/etc/certs/drone.key.pem.nopasswd \
  --env=DRONE_GITEA_SERVER=${DRONE_GITEA_SERVER} \
  --env=DRONE_GITEA_CLIENT_ID=${DRONE_GITEA_CLIENT_ID} \
  --env=DRONE_GITEA_CLIENT_SECRET=${DRONE_GITEA_CLIENT_SECRET} \
  --env=DRONE_GITEA_SKIP_VERIFY=false \
  --env=DRONE_RPC_SECRET=${DRONE_RPC_SECRET} \
  --env=DRONE_SERVER_HOST=drone.localdomain:8082 \
  --env=DRONE_SERVER_PORT=:8082 \
  --env=DRONE_SERVER_PROTO=https \
  --restart=always \
  --detach=true \
  --name=drone \
  --network=host \
  drone/drone:1

Perhaps DRONE_SERVER_PORT only controls the HTTP port, and not the HTTPS port?
Is there then another environment variable for HTTPS?
Any other ideas?

2

Hi ,

Kindly try using the below instructions to bind the port for https : https://docs.drone.io/server/https/

3

Hi csgit,
unfortunately I cannot find any information about binding ports on the link you provided.
The only related topic mentioned there is mapping ports through docker (docker run -p 443:443), but that cannot work if the container is attached directly to the host network.

4

One option is to map 443 to a different host machine port. When you enable SSL in Drone it always connects to port 443.

docker run -p 8443:443

However, since you have a reverse proxy already installed on the machine, why not place Drone behind the reverse proxy and let the reverse proxy handle ssl termination. In that case, you would configure ssl with the reverse proxy and then Drone would use plain http. You could map Drone to listen on a different host port, and your reverse proxy could proxy requests to this port.

docker run -p 8080:80

Also, mentioned in the documentation, we strongly recommend installing Drone and Gitea on separate instances. While it is possible to run them on the same machine, the networking can get very complicated, as you are seeing. Supporting these sorts of complex single-machine network configurations is outside the scope of support we provide.

5

I cannot use -p flag at all when I am also using --network=host.
Docker complains with:

WARNING: Published ports are discarded when using host network mode

Unfortunately, in my case gitea must be running directly on the host, I have no choice here.
I am no docker expert but, as far as I can tell, it is not possible to make a container connect to one of the host ports (and please point out if I am wrong here, because that would solve my issue).

While it is possible to run them on the same machine, the networking can get very complicated, as you are seeing. Supporting these sorts of complex single-machine network configurations is outside the scope of support we provide

I do not want to make demands about the scope of a project I do not contribute to :slight_smile: but I do not really see how this networking setup is “very complicated”.
I simply want to bind port X instead of port 443.
This setup is supported for plain HTTP, where the bound port can be changed via the environment variable DRONE_SERVER_PORT, but not for HTTPS, where it is hardcoded to 443.

If you think it is not worth the effort to support this use case, perhaps you can hint me where in the source code the port is bound?
That way I could hardcode the port I wanted, recompile, and build a new custom docker image.

6

You can edit this file: