On Wed, Mar 18, 2015 at 1:07 PM, Lukas Tribus <[email protected]> wrote: > > > ---------------------------------------- >> Date: Wed, 18 Mar 2015 01:49:47 +0100 >> From: [email protected] >> To: [email protected]; [email protected] >> CC: [email protected] >> Subject: Re: send/accept-proxy over unix socket not working >> >> On 13.03.2015 18:44, Lukas Tribus wrote: >>>> What version of haproxy are you using ? (And what OS) ? >>>> >>>>> In the first frontend I set: >>>>> server clear /var/lib/haproxy/test send-proxy >>>>> >>>>> In the second frontend I set: >>>>> bind /var/lib/haproxy/test accept-proxy >>>> >>>> Are you able to connect to the /var/lib/haproxy/test socket with >>>> netcat or socat ? And/or do you have chroot in haproxy.cfg ? >>> >>> Also if you drop privileges, check permission with the haproxy user. >>> >>> If supported by your kernel, you could use abstract namespaces >>> instead. >> >> According to the documentation abstract namespaces are not recommended >> when using nbproc> 1. The reason I'm dealing with unix sockets at all >> is that I want to get around the problem of losing the stick table >> content on reload I posted about in another mail. The idea is to run two >> instances. One with nbproc> 1 for ssl offloading and that forwards the >> requests to the second instance that is using nbproc = 1 and contains >> the http frontend and a backend. In theory this should allow me to >> reload the config of the backend instance without losing the stick table >> content. >> >> I'm using chroot /var/lib/haproxy but the behavior is the same without >> this directive. Either way a socket gets created as >> /var/lib/haproxy/test as intended but for some reason I keep getting 503 >> when using a unix socket but everything works fine when using abstract >> namespaces or an ip address. >> >> I've attached the configuration and the debug output in case that helps >> to pinpoint the issue. > > Comment user and group and run haproxy as root. If thats works, it means > you have a permission problem. > > > Lukas > > >
Hi He has a permission problem! That's what I mentionned with the user parameter on the bind line.. Actually, HAProxy starts up as root and create the socket with root user, then it drops it switches to user haproxy, group haproxy (according to your conf). This user is not allowed to access the socket, since there is no write allowed for "others". To fix your issue, simply update your bind line: bind /var/lib/haproxy/test accept-proxy user haproxy group haproxy Same on server line: server clear /var/lib/haproxy/test send-proxy user haproxy group haproxy Hope this helps. Baptiste
