tldr; Is there a way to bind a frontend to interface and still be able to start HAProxy as root and later lower privileges to a non root user?
I asked this question at http://serverfault.com/questions/840039/haproxy-interface-eth-aware-binding-as-non-root-user but did not get replies and thought this community might be a better place. I have scenario where i need to listen explicitly on network interfaces. This works great if i do not set an explicit lower privileged user (proxy runs as root throughout its life). However, I would prefer to not run the proxy as root. Config snippet global #Works only without below line but its implication is running as root user user haproxy frontend frontend_tcp_eth1 mode tcp bind 0.0.0.0:80 interface eth1 Reading through the docs, i only see root permissions necessary to bind for outgoing connections but not for listening to an interface. Am I missing something? https://cbonte.github.io/haproxy-dconv/1.6/management.html#13 "HAProxy will need to be started as root in order to : - adjust the file descriptor limits - bind to privileged port numbers - bind to a specific network interface - transparently listen to a foreign address - isolate itself inside the chroot jail - drop to another non-privileged UID HAProxy may require to be run as root in order to : - bind to an interface for outgoing connections - bind to privileged source ports for outgoing connections - transparently bind to a foreing address for outgoing connections Most users will never need the "run as root" case. But the "start as root" covers most usages." Thanks, Ankit
