Hi.
Am 24-03-2017 07:17, schrieb Ankit Malp:
tldr; Is there a way to bind a frontend to interface and still be able
to start HAProxy as root and later lower privileges to a non root user?
That's the default behaviour with 'user' keyword.
I asked this question at
http://serverfault.com/questions/840039/haproxy-interface-eth-aware-binding-as-non-root-user
but did not get replies and thought this community might be a better
place.
I have add also the answer there.
I have scenario where i need to listen explicitly on network
interfaces. This works great if i do not set an explicit lower
privileged user (proxy runs as root throughout its life).
However, I would prefer to not run the proxy as root.
Config snippet
global
#Works only without below line but its implication is running as root
user
user haproxy
frontend frontend_tcp_eth1
mode tcp
bind 0.0.0.0:80 interface eth1
Reading through the docs, i only see root permissions necessary to bind
for outgoing connections but not for listening to an interface. Am I
missing something?
https://cbonte.github.io/haproxy-dconv/1.6/management.html#13
"HAProxy will need to be started as root in order to :
- adjust the file descriptor limits
- bind to privileged port numbers
That's the answer.
You try to bind on port 80 which is a privileged port
https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html
- bind to a specific network interface
- transparently listen to a foreign address
- isolate itself inside the chroot jail
- drop to another non-privileged UID
HAProxy may require to be run as root in order to :
- bind to an interface for outgoing connections
- bind to privileged source ports for outgoing connections
- transparently bind to a foreing address for outgoing connections
Most users will never need the "run as root" case. But the "start as
root"
covers most usages."
Thanks,
Ankit
