Hi Igor, On Sat, Mar 25, 2017 at 02:16:37PM +1100, Igor Cicimov wrote: > On 24 Mar 2017 5:18 pm, "Ankit Malp" <[email protected]> wrote: > > tldr; Is there a way to bind a frontend to interface and still be able to > start HAProxy as root and later lower privileges to a non root user? > > I asked this question at http://serverfault.com/questions/840039/haproxy- > interface-eth-aware-binding-as-non-root-user but did not get replies and > thought this community might be a better place. I have scenario where i > need to listen explicitly on network interfaces. This works great if i do > not set an explicit lower privileged user (proxy runs as root throughout > its life). > > However, I would prefer to not run the proxy as root. > > Config snippet > > global > #Works only without below line but its implication is running as root user > user haproxy > > frontend frontend_tcp_eth1 > mode tcp > bind 0.0.0.0:80 interface eth1 > > Simply do iptables > > iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 > > and have haproxy listen on port 8080
I think you're mixing multiple demands here. The haproxy config above is sufficient to make haproxy only receive incoming connections on eth1 targetting tcp port 80. Your iptables rule contradicts this as you prevent haproxy from getting any connection. > Reading through the docs, i only see root permissions necessary to bind for > outgoing connections but not for listening to an interface. Am I missing > something? I really don't understand what issue you're facing. Haproxy binds sockets *before* dropping privileges. Otherwise that would not work. Many of us use interface binding for various reasons (often as simple as increasing total traffic), and there's nothing more to do than your config above. Willy
