HAProxy with SNI+HTTPS offloading gives permission denied for socket.



  • Hi,

    I'm trying to do the config shown here.  However, I keep ending up with a permission error for the socket file.  Using the linked document as an example, I end up with:

    srwxr-xr-x root:wheel /tmp/haproxy_chroot/Frontend3-offloading.socket
    

    If I don't use the Transparent ClientIP option, HAProxy runs as the www user and I get a permission error for the socket.  Here's a minimal config that causes the error I'm seeing.  It doesn't do anything besides set up the frontends + backends needed to show my issue.

    global
    	maxconn			250
    	stats socket /tmp/haproxy.socket level admin
    	uid			80
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	2048
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend Frontend2-sni
    	bind			172.17.1.121:443 name 172.17.1.121:443   
    	mode			tcp
    	log			global
    	timeout client		30000
    	default_backend frontend3-offloading_https_ipvANY
    
    frontend Frontend3-offloading
    	bind			127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Frontend3-offloading.pem  
    	bind /tmp/haproxy_chroot/Frontend3-offloading.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/Frontend3-offloading.pem 
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    
    backend frontend3-offloading_https_ipvANY
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			frontend3-srv /Frontend3-offloading.socket send-proxy-v2-ssl-cn check inter 5000
    

    If I do use the Transparent ClientIP option, HAProxy runs as the root user and everything works.  The config is almost identical to the above:

    global
    	maxconn			250
    	stats socket /tmp/haproxy.socket level admin
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	2048
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend Frontend2-sni
    	bind			172.17.1.121:443 name 172.17.1.121:443   
    	mode			tcp
    	log			global
    	timeout client		30000
    	default_backend frontend3-offloading_https_ipv4
    
    frontend Frontend3-offloading
    	bind			127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Frontend3-offloading.pem  
    	bind /tmp/haproxy_chroot/Frontend3-offloading.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/Frontend3-offloading.pem 
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    
    backend frontend3-offloading_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	server			frontend3-srv /Frontend3-offloading.socket send-proxy-v2-ssl-cn check inter 5000
    

    If I manually chmod the socket file to 777 or chown it to www:wheel everything also seems to work.  Is it expected that I should be using the Transparent ClientIP option with that config or should I be able to do it without that option?

    I don't quite understand the implications of using the Transparent ClientIP option, so I would prefer to avoid it if possible.  Any tips would be appreciated.



  • Looks like a 'bug' in my config generation, or an oversight at least  ;)..

    If you change the following "uid 80" in haproxy.inc it seems to work properly. Ill add that to next version as well.

    --	fwrite ($fd, "\tbind /tmp/haproxy_chroot/{$frontendname}.socket name unixsocket accept-proxy {$ssl_info} {$advanced_bind}\n");
    ++	fwrite ($fd, "\tbind /tmp/haproxy_chroot/{$frontendname}.socket name unixsocket accept-proxy uid 80 {$ssl_info} {$advanced_bind}\n");
    
    


  • Yes, that gets the socket file created with the correct ownership and everything seems to be working perfectly for me now.

    Thank you for the help PiBa.  You're awesome!