13. Security considerations

  1. HAProxy is designed to run with very limited privileges. The standard way to
  2. use it is to isolate it into a chroot jail and to drop its privileges to a
  3. non-root user without any permissions inside this jail so that if any future
  4. vulnerability were to be discovered, its compromise would not affect the rest
  5. of the system.
  6.  
  7. In order to perform a chroot, it first needs to be started as a root user. It is
  8. pointless to build hand-made chroots to start the process there, these ones are
  9. painful to build, are never properly maintained and always contain way more
  10. bugs than the main file-system. And in case of compromise, the intruder can use
  11. the purposely built file-system. Unfortunately many administrators confuse
  12. "start as root" and "run as root", resulting in the uid change to be done prior
  13. to starting haproxy, and reducing the effective security restrictions.
  14.  
  15. HAProxy will need to be started as root in order to :
  16.   - adjust the file descriptor limits
  17.   - bind to privileged port numbers
  18.   - bind to a specific network interface
  19.   - transparently listen to a foreign address
  20.   - isolate itself inside the chroot jail
  21.   - drop to another non-privileged UID
  22.  
  23. HAProxy may require to be run as root in order to :
  24.   - bind to an interface for outgoing connections
  25.   - bind to privileged source ports for outgoing connections
  26.   - transparently bind to a foreign address for outgoing connections
  27.  
  28. Most users will never need the "run as root" case. But the "start as root"
  29. covers most usages.
  30.  
  31. A safe configuration will have :
  32.  
  33.   - a chroot statement pointing to an empty location without any access
  34.     permissions. This can be prepared this way on the UNIX command line :
  35.  
  36.       # mkdir /var/empty && chmod 0 /var/empty || echo "Failed"
  37.  
  38.     and referenced like this in the HAProxy configuration's global section :
  39.  
  40.       chroot /var/empty
  41.  
  42.   - both a uid/user and gid/group statements in the global section :
  43.  
  44.       user haproxy
  45.       group haproxy
  46.  
  47.   - a stats socket whose mode, uid and gid are set to match the user and/or
  48.     group allowed to access the CLI so that nobody may access it :
  49.  
  50.       stats socket /var/run/haproxy.stat uid hatop gid hatop mode 600

HAProxy 2.0.14 – Management Guide
,