HAProxy Transparent ClientIP security question
-
Greetings All,
I have been working with HAProxy for some time now and think it's a wonderful package. We have recently encountered a scenario where running HAProxy with SSL offloading in transparent mode is a great solution for us.
When not running in transparent mode, HAProxy runs as a non root user. My concern is in transparent mode, HAProxy runs a root. In this case, is it simply a matter of a bad enough exploit in HAProxy (or OpenSSL) and our pfSense box gets owned, or are there any mitigating circumstances that perhaps lessen the magnitude of such an event?
I did a ps -aux from the pfSense console and notice just about all processes are running as root. I know many of these don't process external input, but some do. So I'm trying to properly put running HAProxy as root into perspective.
Thank you!