i’m trying to modify my haproxy(HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24) cfg file to run as user haproxy … my config is running fine … if i uncomment the three directives below from my global settings … the proxy no longer works - any ideas what i’m doing wrong ? thanks in advance,
this is my passwd entry for user haproxy …
haproxy:x:126:130::/var/lib/haproxy:/sbin/nologin
global
maxconn 100
daemon
tune.ssl.default-dh-param 2048
log /dev/log local0
log /dev/log local1 notice
log 127.0.0.1 syslog debug
# chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# user haproxy
# group haproxy
I assume you are seeing an error message, in the logs or otherwise. Please post that message. If you are starting via systemd, check your journalctl logs. If no useful informations are in there, please start haproxy manually.
Also, share the entire configuration.
below is the complete config … when i run as haproxy -f haproxy.cfg -d i get the following output but no error message …
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Using epoll() as the polling mechanism.
00000000:https.accept(0006)=000b from [192.168.1.1:57243] ALPN=
00000000:https-back.clicls[adfd:000c]
00000000:https-back.closed[adfd:000c]
00000001:https.accept(0006)=000b from [192.168.1.1:57247] ALPN=
00000001:https-back.clicls[adfd:000c]
00000001:https-back.closed[adfd:000c]
00000002:https.accept(0006)=000b from [192.168.1.1:57248] ALPN=
00000002:https-back.clicls[adfd:000c]
00000002:https-back.closed[adfd:000c]
global
maxconn 100
daemon
tune.ssl.default-dh-param 2048
# log /dev/log local0
# log /dev/log local1 notice
# log 127.0.0.1 syslog debug
chroot /var/empty
stats socket /run/haproxy/admin.sock uid hatop gid hatop mode 660
stats timeout 30s
user haproxy
group haproxy
defaults
mode http
log global
# option tcplog
# option httplog
# option logasap
option http-keep-alive
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 1h
listen stats
bind 192.168.1.235:9000
mode http
log global
maxconn 10
stats enable
stats hide-version
stats refresh 30s
stats show-node
# stats auth admin:password
stats uri /haproxy?stats
frontend https
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend openvpn-backend if { req.ssl_sni -i foobar.ddns.net }
default_backend https-back
frontend https-front
bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
mode http
use_backend home-assistant-backend if { ssl_fc_sni -i foobar-ha.ddns.net }
use_backend nextcloud-backend if { ssl_fc_sni -i foobar-nc.ddns.net }
use_backend genmon-backend if { ssl_fc_sni -i foobar-genmon.ddns.net }
use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }
# Netdata
use_backend backend-nd-unms if { ssl_fc_sni -i foobar-nd-unms.ddns.net }
use_backend backend-nd-unifi if { ssl_fc_sni -i foobar-nd-unifi.ddns.net }
use_backend backend-nd-openvpn if { ssl_fc_sni -i foobar-nd-openvpn.ddns.net }
use_backend backend-nd-pihole if { ssl_fc_sni -i foobar-nd-pihole.ddns.net }
use_backend backend-nd-genmon if { ssl_fc_sni -i foobar-nd-genmon.ddns.net }
use_backend backend-nd-ha if { ssl_fc_sni -i foobar-nd-ha.ddns.net }
use_backend backend-nd-stage if { ssl_fc_sni -i foobar-nd-stage.ddns.net }
use_backend backend-nd-greenhouse if { ssl_fc_sni -i foobar-nd-greenhouse.ddns.net }
use_backend backend-nd-poolside if { ssl_fc_sni -i foobar-nd-poolside.ddns.net }
use_backend backend-nd-gym if { ssl_fc_sni -i foobar-nd-gym.ddns.net }
use_backend backend-nd-rosegarden if { ssl_fc_sni -i foobar-nd-rosegarden.ddns.net }
use_backend backend-nd-firepit if { ssl_fc_sni -i foobar-nd-firepit.ddns.net }
use_backend backend-nd-fireplace if { ssl_fc_sni -i foobar-nd-fireplace.ddns.net }
default_backend blueiris-backend
frontend http
bind *:80
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888
backend https-back
mode tcp
server https-front unix@/var/run/haproxy.sock send-proxy-v2
# Openvpn
backend openvpn-backend
mode tcp
timeout server 2h
server openvpn 192.168.1.235:444
# Netdata backends
backend backend-nd-unms
mode http
server netdata 192.168.1.207:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-unifi
mode http
server netdata 192.168.1.16:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-ha
mode http
server netdata 192.168.1.123:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-pihole
mode http
server netdata 192.168.5.2:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-genmon
mode http
server netdata 192.168.1.219:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-openvpn
mode http
server netdata 192.168.1.235:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-gym
mode http
server netdata 192.168.1.158:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-rosegarden
mode http
server netdata 192.168.1.170:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-greenhouse
mode http
server netdata 192.168.1.187:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-poolside
mode http
server netdata 192.168.1.18:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-stage
mode http
server netdata 192.168.1.174:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-fireplace
mode http
server netdata 192.168.1.201:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend backend-nd-firepit
mode http
server netdata 192.168.1.200:19999 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Haproxy Stats
backend haproxy-backend
mode http
server haproxy 192.168.1.235:9000 no-ssl check
http-request redirect location /haproxy?stats if { path / }
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Pi-hole DNS Ad-blocker
backend pihole-backend
mode http
server pi-hole 192.168.5.2:80 check no-ssl
rspadd X-Frame-Options:\ SAMEORIGIN
http-request redirect location /admin/ if { path / }
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Genmon
backend genmon-backend
mode http
server unifi 192.168.1.219:8000 no-ssl check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Unifi
backend unifi-backend
mode http
server unifi 192.168.1.16:8443 ssl verify none check
http-request redirect location /manage/site/kab9w4dv/dashboard if { path / }
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# UNMS
backend unms-backend
mode http
server unms 192.168.1.207 ssl verify none
http-request redirect location /dashboard if { path / }
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Home Assistant
backend home-assistant-backend
mode http
server home-assistant 192.168.1.123:8123 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Nextcloud
backend nextcloud-backend
mode http
server nextcloud 192.168.1.123:80 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# Blue Iris Security Server
backend blueiris-backend
mode http
server blueiris 192.168.1.36:1050 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
2 issues:
If you chroot to a directory like /var/emtpy, you need to put all the files in there that haproxy needs while running. In your case that is /var/run/haproxy.sock.
As chroot happens after bind, you need to:
bind to /var/emtpy/var/run/haproxy.sock
and leave the server line as is (/var/run/haproxy.sock).
Also, there is a permission problem with accessing this socket, as haproxy won’t have the permission, so you need to set the user and group to haproxy in the bind statement as well.
So in the end, you will have to modify the unix socket bind line as:
bind unix@/var/emtpy/var/run/haproxy.sock user haproxy group haproxy ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
If you want to avoid this hassle, switch to a port on 127.0.0.1 as opposed to unix domain sockets, which will always need correct paths and permissions.
thanks, i went with this (below) … seems simpler wrt file permissions - now working as user haproxy
global
maxconn 100
daemon
tune.ssl.default-dh-param 2048
chroot /var/empty
user haproxy
group haproxy
…
bind 127.0.0.1:9001 ssl crt /etc/letsencrypt/live/marotta.ddns.net/haproxy.pem accept-proxy
server https-front 127.0.0.1:9001 send-proxy-v2