mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-10-24 06:00:59 +02:00
This option takes away system calls that are unneeded for haproxy's operation and thus is a good defense in depth measure.
35 lines
1.2 KiB
SYSTEMD
35 lines
1.2 KiB
SYSTEMD
[Unit]
|
|
Description=HAProxy Load Balancer
|
|
After=network.target
|
|
|
|
[Service]
|
|
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
|
|
ExecStartPre=@SBINDIR@/haproxy -f $CONFIG -c -q
|
|
ExecStart=@SBINDIR@/haproxy -Ws -f $CONFIG -p $PIDFILE
|
|
ExecReload=@SBINDIR@/haproxy -f $CONFIG -c -q
|
|
ExecReload=/bin/kill -USR2 $MAINPID
|
|
KillMode=mixed
|
|
Restart=always
|
|
Type=notify
|
|
|
|
# The following lines leverage SystemD's sandboxing options to provide
|
|
# defense in depth protection at the expense of restricting some flexibility
|
|
# in your setup (e.g. placement of your configuration files) or possibly
|
|
# reduced performance. See systemd.service(5) and systemd.exec(5) for further
|
|
# information.
|
|
|
|
# NoNewPrivileges=true
|
|
# ProtectHome=true
|
|
# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
|
|
# any state files and any other files written using 'ReadWritePaths' or
|
|
# 'RuntimeDirectory'.
|
|
# ProtectSystem=true
|
|
# ProtectKernelTunables=true
|
|
# ProtectKernelModules=true
|
|
# ProtectControlGroups=true
|
|
# If your SystemD version supports them, you can add: @reboot, @swap, @sync
|
|
# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|