0

I have 2 network interfaces on my instance (eth0 and eth1) I am trying to setup HAProxy to be interface aware and have separate frontends per interface.

The config below works as root (ie. i do not set user haproxy portion). Wondering if there is a way to bind to interfaces and still run as non root user?

https://cbonte.github.io/haproxy-dconv/1.6/management.html#13 suggests that root privileges are required only for outbound interface awareness - is the documentation partial or am i missing some setting?

Config snippet

global
    #Works only without below line but its implication is running as root user
    user haproxy 
frontend frontend_tcp_eth1
    mode tcp
    bind 0.0.0.0:80 interface eth1
dejavu013
  • 13
  • 5
  • Also i did refer to http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#5.1-interface Which mentions `binding to a network interface requires root privileges` but is this only for the process to startup or it has to stay this throughout the lifetime of the proxy? – dejavu013 Mar 23 '17 at 01:21
  • If you don't specify the `interface` then including `user haproxy` to drop privileges after startup does work as expected... right? (It should.) What happens if you try to drop privs with the config above? Is there an error? (What's the error?) Or does it seem to start up but behave unexpectedly? – Michael - sqlbot Mar 25 '17 at 11:11

1 Answers1

0

You try to bind to port 80

bind 0.0.0.0:80

This is a privileged port

https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html

To bind to this port you will need root privileges as described in the documentation.

https://cbonte.github.io/haproxy-dconv/1.6/management.html#13

  • bind to privileged port numbers
Aleksandar
  • 281
  • 1
  • 5
  • I think you are missing a subtle detail in the question. The issue here is that OP wants to bind to an *interface* -- which apparently requires HAProxy *retain* root privileges and not drop them after startup using the `user` directive -- as opposed to binding to an *address* -- which is the normal use case. When binding to an address, the privileged port is irrelevant because HAProxy can drop root privs after setting up the sockets and this still works correctly. OP is reporting that dropping privs does not appear to work when binding to an *interface*, despite starting as root. – Michael - sqlbot Mar 25 '17 at 03:33
  • Ah okay so this means the OP found a bug in haproxy?. The OP have also started a thread on the haproxy ml https://www.mail-archive.com/haproxy@formilux.org/msg25443.html – Aleksandar Mar 25 '17 at 10:04
  • Yeah, that thread is how I knew you had posted this answer. :) I saw the question previously, but have never specified an `interface` in a `bind`. I am not sure OP has found a bug -- my interpretation of the question and docs is that there's something intrinsically different about specifying `bind ... interface ...`, something in the OS (this is a Linux-only feature), that requires HAProxy to retain root privileges rather than dropping them in order for this to work. But I don't know. It also might be a "documentation bug." – Michael - sqlbot Mar 25 '17 at 11:04
  • could be. the op haven't told us which os is in use – Aleksandar Mar 26 '17 at 16:03
  • I am on Amazon Linux – dejavu013 Mar 26 '17 at 18:34
  • what ever this is. Willy have already answered your question in the ML, right? BTW: I assume you mean this https://aws.amazon.com/de/amazon-linux-ami/ with amazon linux ;-) – Aleksandar Mar 27 '17 at 14:16