Cannot bind to socket 4443

I’m trying to add a new port for forwarding to HAProxy but whenever I try to restart the service with the new configuration I get the error

haproxy-systemd-wrapper[32276]: [ALERT] 092/112955 (32277) : Starting frontend my-service: cannot bind socket [<public IP>:4443]

I’m running haproxy through systemctl on CentOS7. Nothing else is using port 4443 (sudo netstat -apn | grep 4443 comes up blank), and I’ve got net.ipv4.ip_forward = 1 and net.ipv4.ip_nonlocal_bind = 1 set in sysctl.conf. I’ve also run sudo setsebool -P haproxy_connect_any=1.

The relevant part of my haproxy.cfg looks like this:

frontend my-service
   bind <public_url>:4443
   default_backend my-backend

I’ve also got other frontends binding to 80, 443 and 8080.

My Global settings and defaults are:

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2     #Log configuration

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy             #Haproxy running under user and group "haproxy"
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11


#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    15s
    timeout queue           30s
    timeout connect         5s
    timeout client          25s
    timeout server          5m
    timeout http-keep-alive 1s
    timeout check           10s
    timeout tunnel          3600s
    timeout tarpit          60s
    backlog                 10000
    maxconn                 3000

I’ve also tried added 4443 to the list of managed HTTP ports in SELinux with

sudo semanage port -a -t http_port_t -p tcp 4443

But am still getting the same error when restarting with the new config

I assume that bind <public_url>:4443 means bind <public_IP>:4443 instead?

Is that IP address configured on the local IP stack or not? In the latter case you may need to use the transparent keyword on the bind line, so that the kernel relaxes the check.

Be that as it may, this is the kernel refusing to let haproxy bind to that port. It’s not something that haproxy causes itself.

SELinux was preventing 4443 from being used as it isn’t a default managed port. Adding the port with

sudo semanage port -a -t http_port_t -p tcp 4443

fixed the issue.

1 Like