HAProxy community

Hi m sunidhi there is an Starting proxy firstbalance: cannot bind socket [0.0.0.0:80]error showing

hi my haproxy is cannot bind

following is my message displayed
Starting proxy firstbalance: cannot bind socket [global 0.0.0.0:80]
please see my configration file
this how my configration file looks like

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

By running as non root, which is definitively a very GOOD thing and I wouldn’t change that, you can’t by default listen on ports under 1024.

You need to give the service the CAP_NET_BIND_SERVICE capability (assuming you’re using Linux).

How this can be achieved depends on how you start your service. Assuming it’s systemd, you could add the following (although if you are using the default HAProxy package with your distribution, this should already be in there):

AmbientCapabilities = CAP_NET_BIND_SERVICE

I would also check other security systems like SELinux or AppArmor, especially if you run a custom build HAProxy binary, or non-default package.

No. Binding to ports happens before the privileges are downgraded. This is only relevant if you are actually starting haproxy as user haproxy, that’s different then starting as root and then downgrading the privileges afterwards, the latter is what this configuration implies.

I assume something else is listening on port 80.