Chroot resulting in 503

bwmetcalf · July 25, 2016, 8:31pm

I’m attempting to chroot our haproxy setup running as root, but when doing so I only get 503s when hitting our frontend. Nothing is showing up in the logs to indicate what might be wrong. The relevant parts of my config look like

global
  tune.ssl.default-dh-param 2048
  tune.ssl.cachesize 50000
  pidfile /var/run/haproxy/haproxy.pid
  chroot /var/haproxy
  log 127.0.0.1 local1
frontend ft_foo_ssl
  mode http
  bind *:80
  bind *:443 ssl crt /etc/haproxy/my.pem ciphers AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK no-sslv3 no-tls-tickets
  http-request set-log-level silent
  maxconn 100000
  redirect scheme https code 301 if !{ ssl_fc }
  default_backend bk_foo_ssl
backend bk_foo_ssl
  mode http
  server ft_foo_sock unix@/var/run/haproxy/ft_foo.sock send-proxy-v2
frontend ft_foo
  mode http
  bind unix@/var/run/haproxy/ft_foo.sock accept-proxy
  maxconn 100000
  use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/foo.map)]

If I remove the chroot, everything works fine.

Baptiste · July 26, 2016, 3:40pm

bwmetcalf
July 25

I’m attempting to chroot our haproxy setup running as root, but when
doing so I only get 503s when hitting our frontend. Nothing is showing up
in the logs to indicate what might be wrong. The relevant parts of my
config look like

global tune.ssl.default-dh-param 2048 tune.ssl.cachesize 50000 pidfile
/var/run/haproxy/haproxy.pid chroot /var/haproxy log 127.0.0.1 local1
frontend ft_foo_ssl mode http bind *:80 bind *:443 ssl crt
/etc/haproxy/my.pem ciphers
AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!RC4:!MD5:!PSK
no-sslv3 no-tls-tickets http-request set-log-level silent maxconn 100000
redirect scheme https code 301 if !{ ssl_fc } default_backend bk_foo_ssl
backend bk_foo_ssl mode http server ft_foo_sock
unix@/var/run/haproxy/ft_foo.sock
send-proxy-v2 frontend ft_foo mode http bind unix@/var/run/haproxy/ft_foo.sock
accept-proxy maxconn 100000 use_backend
%[req.hdr(host),lower,map_dom(/etc/haproxy/foo.map)]

If I remove the chroot, everything works fine.

Hi,

The bind is performed before chrooting and the server use it after.
To make it work, the bind path must be absolute and points into the chroot
while the server one must be relative to the chroot.
Also check user/group permission.

Baptiste

bwmetcalf · July 26, 2016, 6:03pm

Thank you so much. That was the problem and was immediately clear from the docs.

Topic		Replies	Views
Trying to get domain name routing Help!	2	340	October 17, 2022
Random 503 service unavailable error Help!	0	714	July 16, 2022
HAProxy 1.5.18 giving error 503 when proxying Tomcat? Help!	1	2842	January 26, 2018
SSL Backend on Custom Port Causes 503 Error Help!	2	352	February 28, 2023
Http backend checks failing with http/400; but curl to same url gives http/200 as expected Help!	8	3982	December 2, 2021

Chroot resulting in 503

Related topics