HAProxy with SNI+HTTPS offloading gives permission denied for socket.
-
Hi,
I'm trying to do the config shown here. However, I keep ending up with a permission error for the socket file. Using the linked document as an example, I end up with:
srwxr-xr-x root:wheel /tmp/haproxy_chroot/Frontend3-offloading.socketIf I don't use the Transparent ClientIP option, HAProxy runs as the www user and I get a permission error for the socket. Here's a minimal config that causes the error I'm seeing. It doesn't do anything besides set up the frontends + backends needed to show my issue.
global maxconn 250 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend Frontend2-sni bind 172.17.1.121:443 name 172.17.1.121:443 mode tcp log global timeout client 30000 default_backend frontend3-offloading_https_ipvANY frontend Frontend3-offloading bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl crt /var/etc/haproxy/Frontend3-offloading.pem bind /tmp/haproxy_chroot/Frontend3-offloading.socket name unixsocket accept-proxy ssl crt /var/etc/haproxy/Frontend3-offloading.pem mode http log global option http-keep-alive timeout client 30000 backend frontend3-offloading_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 server frontend3-srv /Frontend3-offloading.socket send-proxy-v2-ssl-cn check inter 5000If I do use the Transparent ClientIP option, HAProxy runs as the root user and everything works. The config is almost identical to the above:
global maxconn 250 stats socket /tmp/haproxy.socket level admin gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend Frontend2-sni bind 172.17.1.121:443 name 172.17.1.121:443 mode tcp log global timeout client 30000 default_backend frontend3-offloading_https_ipv4 frontend Frontend3-offloading bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl crt /var/etc/haproxy/Frontend3-offloading.pem bind /tmp/haproxy_chroot/Frontend3-offloading.socket name unixsocket accept-proxy ssl crt /var/etc/haproxy/Frontend3-offloading.pem mode http log global option http-keep-alive timeout client 30000 backend frontend3-offloading_https_ipv4 mode tcp log global timeout connect 30000 timeout server 30000 retries 3 source ipv4@ usesrc clientip server frontend3-srv /Frontend3-offloading.socket send-proxy-v2-ssl-cn check inter 5000If I manually chmod the socket file to 777 or chown it to www:wheel everything also seems to work. Is it expected that I should be using the Transparent ClientIP option with that config or should I be able to do it without that option?
I don't quite understand the implications of using the Transparent ClientIP option, so I would prefer to avoid it if possible. Any tips would be appreciated.
-
Looks like a 'bug' in my config generation, or an oversight at least ;)..
If you change the following "uid 80" in haproxy.inc it seems to work properly. Ill add that to next version as well.
-- fwrite ($fd, "\tbind /tmp/haproxy_chroot/{$frontendname}.socket name unixsocket accept-proxy {$ssl_info} {$advanced_bind}\n"); ++ fwrite ($fd, "\tbind /tmp/haproxy_chroot/{$frontendname}.socket name unixsocket accept-proxy uid 80 {$ssl_info} {$advanced_bind}\n"); -
Yes, that gets the socket file created with the correct ownership and everything seems to be working perfectly for me now.
Thank you for the help PiBa. You're awesome!