HAProxy Transparent ClientIP security question



  • Greetings All,

    I have been working with HAProxy for some time now and think it's a wonderful package.  We have recently encountered a scenario where running HAProxy with SSL offloading in transparent mode is a great solution for us.

    When not running in transparent mode, HAProxy runs as a non root user.  My concern is in transparent mode, HAProxy runs a root.  In this case, is it simply a matter of a bad enough exploit in HAProxy (or OpenSSL) and our pfSense box gets owned, or are there any mitigating circumstances that perhaps lessen the magnitude of such an event?

    I did a ps -aux from the pfSense console and notice just about all processes are running as root.  I know many of these don't process external input, but some do.  So I'm trying to properly put running HAProxy as root into perspective.

    Thank you!