QUIC bind fails, TCP is OK

Hello, haproxy users,

I am trying to setup haproxy as a frontend instead of IPVS. I am not sure what is the recommended way of hardening the environment in which haproxy runs - whether to let systemd drop privileges and switch to a non-root user, or let haproxy itself to do the work. Systemd list of hardening features is much larger, so I prefer that. So far it works for me except for the QUIC socket. I am getting the following error:

Jan  9 21:44:22 localhost haproxy[1585673]: Permission error on QUIC socket binding for proxy myservice.fqdn. Consider using setcap cap_net_bind_service (Linux only) or running as root.

The problem is that I get this error only when the first HTTP3 request arrives, and that TCP sockets (HTTP 1 and 2) :80 and :443 work without problem. It seems that haproxy binds the TCP sockets before dropping privileges, but QUIC socket is created only later (I have verified this using strace).

One set of options which works for me is to let systemd switch to a non-root user, and add the CAP_NET_BIND_SERVICE capability to the process (not a file):

[Service]
...
Type=notify
User=haproxy
Group=haproxy
AmbientCapabilities=CAP_NET_BIND_SERVICE

So - why does the QUIC socket get bound so late? And what is the recommended way of dropping privileges of haproxy process?

Thanks,

-Yenya

You can find the suggested systemd unit file in the tarball at admin / systemd / haproxy.service.in.
Haproxy must be startet as root and will drop privileges based on the user/group haproxy configuration.

Dropping privileges in systemd is not supported.