Hi, On Thu, Feb 19, Mathieu Sergent wrote: > And how it's possible to able the haproxy user to have the CAP_NET_ADMIN > capability ?
I think you could set(setcap) CAP_NET_ADMIN to haproxy binary: (https://wiki.archlinux.org/index.php/Capabilities http://packetlife.net/blog/2010/mar/19/sniffing-wireshark-non-root-user/) so: setcap cap_net_admin=eip /usr/sbin/haproxy (I didn't test this). > 2015-02-19 9:55 GMT+01:00 Lukas Tribus <[email protected]>: > > > > Hi, > > > > > > I'm trying to use he option source of HAProxy in order to have the > > > client's address from my web server. > > > > > > So i add this option in defaults : "source 0.0.0.0 usesrc clientip". > > > > > > When I restart HAProxy, i receive back this message : " Some > > > configuration options require full privileges, so global.uid cannot be > > > changed. " > > > > > > I found that is possible to use this option being root, with comment > > > out following lines in conf : "&user haproxy > > > &group haproxy " > > > > > > But for security reason, i need to use this option without being root, > > > i would know if it's possible with changing a configuration? > > > > The haproxy user needs to have the CAP_NET_ADMIN capability. That > > way, you can drop privileges to non-root, but still use the usesrc keyword. -- Jarno Huuskonen
