Configure public port range - where?

From the documentation:

Rancher choses the available public port from 49153-65535 range (configurable)

… well, where? :slight_smile: The reason I’m asking is that I created a bunch of modules which set up Rancher in AWS. So if this setting can be changed I’d like to know where. Cause I want to create a security group which permits access to all other ports, just to be paranoid.


It’s a property of the Environment (project) and not in the UI…

curl -X PUT \
  -u '<access key>:<secret key>' \
  -H 'Content-Type: application/json' \
  -d '{"servicesPortRange": {"startPort": 49153, "endPort": 65535}}' \
  http://<your rancher>:8080/v2-beta/projects/<your project id>

Thanks! That also means that few people will ever change that :wink: , which is good to hear.

Personally I prefer to expose as few public ports as possible, perhaps just 443 (maybe 80 at a push but ideally not). Then your sec-group automated provisioning becomes pretty simple since at the ELB you only need to allow 443 and for the hosts attached the sec-group will only need to allow the port that you forward and constrain the source to only that ELB. Everything else is private network and service discovery.

I use terraform, and I have an option now to open those ports - or not. the rancher hosts are private anyway, so :slight_smile:

@Fraser_Goffin the range is for “if you ask for a random public port, what range should it come from”. If you don’t want to publish ports then it’s just not relevant to you.

Host-based routing only works for http(s), there are other protocols and they can’t just share a port.

@vincent agreed, and yes I wasn’t directly answering the OPs question (which you have now done). It was merely a provocation that opening public ports (whoever picks what the range might be) isn’t always the best option and, judging by the many comments I read here and elsewhere, not always something that is considered (until your CISO folk come around anyways or you are unfortunate enough to suffer a breach which could have been easily avoided).

As you also point out when using other protocols, ports may need to be available. Like many, we use Jenkins and connect slaves via JNLP. Those JNLP ports need to be accessible. But the point remains, you can maintain a reasoned security posture by only exposing the minimum required, especially when using automated provisioning as the OP mentioned.

Sometimes broadening the debate can help ?

My 4 cents.