Trying to run haproxy as non-root ... not working

Help!
1

i’m trying to modify my haproxy(HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24) cfg file to run as user haproxy … my config is running fine … if i uncomment the three directives below from my global settings … the proxy no longer works - any ideas what i’m doing wrong ? thanks in advance,

this is my passwd entry for user haproxy …
haproxy:x:126:130::/var/lib/haproxy:/sbin/nologin

global
maxconn 100
daemon
tune.ssl.default-dh-param 2048
log /dev/log local0
log /dev/log local1 notice
log 127.0.0.1 syslog debug
# chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# user haproxy
# group haproxy

2

I assume you are seeing an error message, in the logs or otherwise. Please post that message. If you are starting via systemd, check your journalctl logs. If no useful informations are in there, please start haproxy manually.

Also, share the entire configuration.

3

below is the complete config … when i run as haproxy -f haproxy.cfg -d i get the following output but no error message …

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Using epoll() as the polling mechanism.
00000000:https.accept(0006)=000b from [192.168.1.1:57243] ALPN=
00000000:https-back.clicls[adfd:000c]
00000000:https-back.closed[adfd:000c]
00000001:https.accept(0006)=000b from [192.168.1.1:57247] ALPN=
00000001:https-back.clicls[adfd:000c]
00000001:https-back.closed[adfd:000c]
00000002:https.accept(0006)=000b from [192.168.1.1:57248] ALPN=
00000002:https-back.clicls[adfd:000c]
00000002:https-back.closed[adfd:000c]

global

maxconn 100

daemon

tune.ssl.default-dh-param 2048

# log /dev/log local0

# log /dev/log local1 notice

# log 127.0.0.1 syslog debug

chroot /var/empty

stats socket /run/haproxy/admin.sock uid hatop gid hatop mode 660

stats timeout 30s

user haproxy

group haproxy

defaults

mode http

log global

# option tcplog

# option httplog

# option logasap

option http-keep-alive

timeout connect 5000

timeout client 50000

timeout server 50000

timeout tunnel 1h

listen stats

bind 192.168.1.235:9000

mode http

log global

maxconn 10

stats enable

stats hide-version

stats refresh 30s

stats show-node

# stats auth admin:password

stats uri /haproxy?stats

frontend https

bind *:443

mode tcp

tcp-request inspect-delay 5s

tcp-request content accept if { req.ssl_hello_type 1 }

use_backend openvpn-backend if { req.ssl_sni -i foobar.ddns.net }

default_backend https-back

frontend https-front

bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy

mode http

use_backend home-assistant-backend if { ssl_fc_sni -i foobar-ha.ddns.net }

use_backend nextcloud-backend if { ssl_fc_sni -i foobar-nc.ddns.net }

use_backend genmon-backend if { ssl_fc_sni -i foobar-genmon.ddns.net }

use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }

use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }

use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }

use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }

use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }

# Netdata

use_backend backend-nd-unms if { ssl_fc_sni -i foobar-nd-unms.ddns.net }

use_backend backend-nd-unifi if { ssl_fc_sni -i foobar-nd-unifi.ddns.net }

use_backend backend-nd-openvpn if { ssl_fc_sni -i foobar-nd-openvpn.ddns.net }

use_backend backend-nd-pihole if { ssl_fc_sni -i foobar-nd-pihole.ddns.net }

use_backend backend-nd-genmon if { ssl_fc_sni -i foobar-nd-genmon.ddns.net }

use_backend backend-nd-ha if { ssl_fc_sni -i foobar-nd-ha.ddns.net }

use_backend backend-nd-stage if { ssl_fc_sni -i foobar-nd-stage.ddns.net }

use_backend backend-nd-greenhouse if { ssl_fc_sni -i foobar-nd-greenhouse.ddns.net }

use_backend backend-nd-poolside if { ssl_fc_sni -i foobar-nd-poolside.ddns.net }

use_backend backend-nd-gym if { ssl_fc_sni -i foobar-nd-gym.ddns.net }

use_backend backend-nd-rosegarden if { ssl_fc_sni -i foobar-nd-rosegarden.ddns.net }

use_backend backend-nd-firepit if { ssl_fc_sni -i foobar-nd-firepit.ddns.net }

use_backend backend-nd-fireplace if { ssl_fc_sni -i foobar-nd-fireplace.ddns.net }

default_backend blueiris-backend

frontend http

bind *:80 

acl letsencrypt-acl path_beg /.well-known/acme-challenge/

use_backend letsencrypt-backend if letsencrypt-acl

backend letsencrypt-backend

server letsencrypt 127.0.0.1:8888

backend https-back

mode tcp

server https-front unix@/var/run/haproxy.sock send-proxy-v2

# Openvpn

backend openvpn-backend

mode tcp

timeout server 2h

server openvpn 192.168.1.235:444

# Netdata backends

backend backend-nd-unms

mode http

server netdata 192.168.1.207:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-unifi

mode http

server netdata 192.168.1.16:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-ha

mode http

server netdata 192.168.1.123:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-pihole

mode http

server netdata 192.168.5.2:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-genmon

mode http

server netdata 192.168.1.219:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-openvpn

mode http

server netdata 192.168.1.235:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-gym

mode http

server netdata 192.168.1.158:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-rosegarden

mode http

server netdata 192.168.1.170:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-greenhouse

mode http

server netdata 192.168.1.187:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-poolside

mode http

server netdata 192.168.1.18:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-stage

mode http

server netdata 192.168.1.174:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-fireplace

mode http

server netdata 192.168.1.201:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend backend-nd-firepit

mode http

server netdata 192.168.1.200:19999 check 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Haproxy Stats

backend haproxy-backend

mode http

server haproxy 192.168.1.235:9000 no-ssl check

http-request redirect location /haproxy?stats if { path / } 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Pi-hole DNS Ad-blocker

backend pihole-backend

mode http

server pi-hole 192.168.5.2:80 check no-ssl

rspadd X-Frame-Options:\ SAMEORIGIN

http-request redirect location /admin/ if { path / }

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Genmon

backend genmon-backend

mode http

server unifi 192.168.1.219:8000 no-ssl check

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Unifi 

backend unifi-backend

mode http

server unifi 192.168.1.16:8443 ssl verify none check

http-request redirect location /manage/site/kab9w4dv/dashboard if { path / } 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# UNMS

backend unms-backend

mode http

server unms 192.168.1.207 ssl verify none

http-request redirect location /dashboard if { path / } 

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Home Assistant

backend home-assistant-backend

mode http

server home-assistant 192.168.1.123:8123 check

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Nextcloud

backend nextcloud-backend

mode http

server nextcloud 192.168.1.123:80 check

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Blue Iris Security Server

backend blueiris-backend

mode http

server blueiris 192.168.1.36:1050 check

http-request set-header X-Forwarded-Port %[dst_port]

http-request add-header X-Forwarded-Proto https if { ssl_fc }
4

2 issues:

If you chroot to a directory like /var/emtpy, you need to put all the files in there that haproxy needs while running. In your case that is /var/run/haproxy.sock.

As chroot happens after bind, you need to:
bind to /var/emtpy/var/run/haproxy.sock

and leave the server line as is (/var/run/haproxy.sock).

Also, there is a permission problem with accessing this socket, as haproxy won’t have the permission, so you need to set the user and group to haproxy in the bind statement as well.

So in the end, you will have to modify the unix socket bind line as:

bind unix@/var/emtpy/var/run/haproxy.sock user haproxy group haproxy ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy

If you want to avoid this hassle, switch to a port on 127.0.0.1 as opposed to unix domain sockets, which will always need correct paths and permissions.

5

thanks, i went with this (below) … seems simpler wrt file permissions - now working as user haproxy

global
maxconn 100
daemon
tune.ssl.default-dh-param 2048
chroot /var/empty
user haproxy
group haproxy

bind 127.0.0.1:9001 ssl crt /etc/letsencrypt/live/marotta.ddns.net/haproxy.pem accept-proxy
server https-front 127.0.0.1:9001 send-proxy-v2