HAProxyLoad Balancer

How to run HAProxy Service as a non-root user in Linux

In this blog, we will tell you how to run HAProxy Service as a non-root user in Linux.

As per Security considerations, HAProxy is designed to run with very limited privileges and if any future vulnerability were to be discovered, its compromise would not affect the rest of the system.

Simple steps to run HAProxy as a non-root user:

  1. Check by which user HAProxy service is running
  1. Take the backup of HAProxy configuration file – If you have more than one backup then take backup w.r.t date-time this will avoid confusion.
  1. Create HAProxy user and group with no-login – (Ignore if already created)
  1. Add user and group in file ” /etc/haproxy/haproxy.cfg “
  1. Check HAProxy.cfg configuration file is valid or not
  1. Restart HAProxy Service
  1. Now, Confirm which user running HAProxy service
  1. You can also verify haproxy logs.

As per best practices, HAProxy should run with very limited privileges. The HAProxy best practices to use it is to isolate it into a chroot jail and to drop its privileges to a non-root user without any permissions inside this jail which will result to any future vulnerability were to be discovered, its compromise would not affect the rest of the system.

It is pointless to build hand-made chroots to start the process there, these ones are painful to build, are never properly maintained and always contain way more bugs than the main file-system.

Unfortunately, many administrators confuse “start as root” and “run as root”, resulting in the uid change to be done prior to starting haproxy, and reducing the effective security restrictions.

HAProxy will need to be started as root in order to : How to run HAProxy Service as a non-root user in Linux

  – adjust the file descriptor limits

– bind to privileged port numbers

– bind to a specific network interface

– transparently listen to a foreign address

– isolate itself inside the chroot jail

– drop to another non-privileged UID

HAProxy may require to be run as root in order to :

  – bind to an interface for outgoing connections

– bind to privileged source ports for outgoing connections

– transparently bind to a foreing address for outgoing connections

Most users will never need the “run as root” case. But the “start as root” covers most usages.

A safe configuration will have:

– a chroot statement pointing to an empty location without any access

permissions. This can be prepared this way on the UNIX command line:

– add user and group statements in the global section :

stats socket /var/run/haproxy.stat uid hatop gid hatop mode 600

 

Read this also:

HAPROXY IMPORTANT PERFORMANCE FACTORS

Related Articles

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close

Adblock Detected

Please consider supporting us by disabling your ad blocker