mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 23:27:04 +02:00
bd84387beb
For a while there has been the constraint of having to run as root for
transparent proxying, and we're starting to see some cases where QUIC is
not running in socket-per-connection mode due to the missing capability
that would be needed to bind a privileged port. It's not realistic to
ask all QUIC users on port 443 to run as root, so instead let's provide
a basic support for capabilities at least on linux. The ones currently
supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The
mechanism was made OS-specific with a dedicated file because it really
is. It can be easily refined later for other OSes if needed.
A new keyword "setcaps" is added to the global section, to enumerate the
capabilities that must be kept when switching from root to non-root. This
is ignored in other situations though. HAProxy has to be built with
USE_LINUX_CAP=1 for this to be supported, which is enabled by default
for linux-glibc, linux-glibc-legacy and linux-musl.
A good way to test this is to start haproxy with such a config:
global
uid 1000
setcap cap_net_bind_service
frontend test
mode http
timeout client 3s
bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt
and run it under "sudo strace -e trace=bind,setuid", then connecting
there from an H3 client. The bind() syscall must succeed despite the
user id having been switched.
|
||
|---|---|---|
| .. | ||
| design-thoughts | ||
| internals | ||
| lua-api | ||
| 51Degrees-device-detection.txt | ||
| acl.fig | ||
| architecture.txt | ||
| coding-style.txt | ||
| configuration.txt | ||
| cookie-options.txt | ||
| DeviceAtlas-device-detection.txt | ||
| gpl.txt | ||
| haproxy.1 | ||
| intro.txt | ||
| lgpl.txt | ||
| linux-syn-cookies.txt | ||
| lua.txt | ||
| management.txt | ||
| netscaler-client-ip-insertion-protocol.txt | ||
| network-namespaces.txt | ||
| peers-v2.0.txt | ||
| peers.txt | ||
| proxy-protocol.txt | ||
| queuing.fig | ||
| regression-testing.txt | ||
| seamless_reload.txt | ||
| SOCKS4.protocol.txt | ||
| SPOE.txt | ||
| WURFL-device-detection.txt | ||