Thanks for the suggestions. Adding more details - so if i just bind on port
80 (without interface awareness), dropping of privileges works exactly as
documented.
More details
HAProxy versions tried:1.6.11 and 1.7.2
OS: Amazon Linux
*#Works:*
global
user haproxy
frontend frontend_tcp
mode tcp
bind 0.0.0.0:80
*#Does not work*
global
user haproxy
frontend frontend_tcp_eth1
mode tcp
bind 0.0.0.0:80 interface eth1
[ALERT] 084/185646 (13289) : [<>/bin/haproxy.main()] Some configuration
options require full privileges, so global.uid cannot be changed
Removing the "user haproxy" part in the above config works (but now HAProxy
is running as root)
>I really don't understand what issue you're facing. Haproxy binds sockets
>*before* dropping privileges. Otherwise that would not work. Many of us
>use interface binding for various reasons (often as simple as increasing
>total traffic), and there's nothing more to do than your config above.
Is the above behavior not reproduced on other installations. Any other
debugging information I can provide? Or any suspect settings at my end
which could be causing this?
Thanks,
Ankit
On Fri, Mar 24, 2017 at 11:42 PM, Willy Tarreau <[email protected]> wrote:
> Hi Igor,
>
> On Sat, Mar 25, 2017 at 02:16:37PM +1100, Igor Cicimov wrote:
> > On 24 Mar 2017 5:18 pm, "Ankit Malp" <[email protected]> wrote:
> >
> > tldr; Is there a way to bind a frontend to interface and still be able to
> > start HAProxy as root and later lower privileges to a non root user?
> >
> > I asked this question at http://serverfault.com/
> questions/840039/haproxy-
> > interface-eth-aware-binding-as-non-root-user but did not get replies and
> > thought this community might be a better place. I have scenario where i
> > need to listen explicitly on network interfaces. This works great if i do
> > not set an explicit lower privileged user (proxy runs as root throughout
> > its life).
> >
> > However, I would prefer to not run the proxy as root.
> >
> > Config snippet
> >
> > global
> > #Works only without below line but its implication is running as
> root user
> > user haproxy
> >
> > frontend frontend_tcp_eth1
> > mode tcp
> > bind 0.0.0.0:80 interface eth1
> >
> > Simply do iptables
> >
> > iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
> 8080
> >
> > and have haproxy listen on port 8080
>
> I think you're mixing multiple demands here. The haproxy config above
> is sufficient to make haproxy only receive incoming connections on
> eth1 targetting tcp port 80. Your iptables rule contradicts this as
> you prevent haproxy from getting any connection.
>
> > Reading through the docs, i only see root permissions necessary to bind
> for
> > outgoing connections but not for listening to an interface. Am I missing
> > something?
>
> I really don't understand what issue you're facing. Haproxy binds sockets
> *before* dropping privileges. Otherwise that would not work. Many of us
> use interface binding for various reasons (often as simple as increasing
> total traffic), and there's nothing more to do than your config above.
>
> Willy
>
