Hi m sunidhi there is an Starting proxy firstbalance: cannot bind socket [0.0.0.0:80]error showing

sunidhi941 · July 18, 2019, 5:15am

hi my haproxy is cannot bind

following is my message displayed
Starting proxy firstbalance: cannot bind socket [global 0.0.0.0:80]
please see my configration file
this how my configration file looks like

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

ciprian.craciun · July 18, 2019, 6:18am

By running as non root, which is definitively a very GOOD thing and I wouldn’t change that, you can’t by default listen on ports under 1024.

You need to give the service the CAP_NET_BIND_SERVICE capability (assuming you’re using Linux).

How this can be achieved depends on how you start your service. Assuming it’s systemd, you could add the following (although if you are using the default HAProxy package with your distribution, this should already be in there):

AmbientCapabilities = CAP_NET_BIND_SERVICE

I would also check other security systems like SELinux or AppArmor, especially if you run a custom build HAProxy binary, or non-default package.

lukastribus · July 18, 2019, 6:22am

No. Binding to ports happens before the privileges are downgraded. This is only relevant if you are actually starting haproxy as user haproxy, that’s different then starting as root and then downgrading the privileges afterwards, the latter is what this configuration implies.

I assume something else is listening on port 80.

Topic		Replies	Views
Only HTTPS 502,521 error Help!	0	854	July 3, 2018
Help me please , I have failed to start HAproxy Help!	2	577	July 5, 2019
Binding on haproxy 1.8.8 Help!	10	1180	September 3, 2018
Random 502 Bad Gateway errors Help!	11	7282	November 14, 2017
Trying to install SSL Cert for use with HAPROXY. No luck Help!	10	10557	January 7, 2019

Hi m sunidhi there is an Starting proxy firstbalance: cannot bind socket [0.0.0.0:80]error showing

Related topics