HAProxy community

Clarification on ownership of .pem files

Since Haproxy starts as root but drops its workers to the haproxy user, I was wondering who needs to own the crt, crl-file and so on? does it need to be the haproxy user or can the subprocesses still get the content if the owner is root?

I’ve been reading the configuration manual entries on these specific arguments but it doesn’t seem to talk about these topics at all.

We are running on RHEL 7, master_worker mode and using user haproxy and group haproxy in the .cfg file.

Thank you for your help!

Seems that haproxy reads the content of those files on startup before dropping privileges.
All PEM files in our config are owned by root/root and chmod to 0600 if pkeys are part of it.

Sounds good to me. I guess the root process is also called when hot reloading certs with the new 2.2 feature.

Thanks !