Clarification on ownership of .pem files

m-a.leclercq · September 7, 2020, 1:38pm

Hi,
Since Haproxy starts as root but drops its workers to the haproxy user, I was wondering who needs to own the crt, crl-file and so on? does it need to be the haproxy user or can the subprocesses still get the content if the owner is root?

I’ve been reading the configuration manual entries on these specific arguments but it doesn’t seem to talk about these topics at all.

We are running on RHEL 7, master_worker mode and using user haproxy and group haproxy in the .cfg file.

Thank you for your help!

offbyone · September 7, 2020, 5:42pm

Seems that haproxy reads the content of those files on startup before dropping privileges.
All PEM files in our config are owned by root/root and chmod to 0600 if pkeys are part of it.

m-a.leclercq · September 8, 2020, 8:35am

Sounds good to me. I guess the root process is also called when hot reloading certs with the new 2.2 feature.

Thanks !

Topic		Replies	Views
How to run HAProxy with non-Root User Help!	3	3179	August 5, 2020
HAProxy re-executing Master process Help!	2	1229	September 13, 2021
Trying to run haproxy as non-root ... not working Help!	4	6182	June 10, 2019
3 linked process for single HAProxy service Help!	2	639	January 16, 2019
HAProxy gets “Permission denied” error on server restart Help!	3	3998	June 22, 2020

Clarification on ownership of .pem files

Related Topics