RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-07 11:58:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
bd84387beb
haproxy/doc
History
Willy Tarreau bd84387beb MEDIUM: capabilities: enable support for Linux capabilities 
For a while there has been the constraint of having to run as root for
transparent proxying, and we're starting to see some cases where QUIC is
not running in socket-per-connection mode due to the missing capability
that would be needed to bind a privileged port. It's not realistic to
ask all QUIC users on port 443 to run as root, so instead let's provide
a basic support for capabilities at least on linux. The ones currently
supported are cap_net_raw, cap_net_admin and cap_net_bind_service. The
mechanism was made OS-specific with a dedicated file because it really
is. It can be easily refined later for other OSes if needed.

A new keyword "setcaps" is added to the global section, to enumerate the
capabilities that must be kept when switching from root to non-root. This
is ignored in other situations though. HAProxy has to be built with
USE_LINUX_CAP=1 for this to be supported, which is enabled by default
for linux-glibc, linux-glibc-legacy and linux-musl.

A good way to test this is to start haproxy with such a config:

    global
        uid 1000
        setcap cap_net_bind_service

    frontend test
        mode http
        timeout client 3s
        bind quic4@:443 ssl crt rsa+dh2048.pem allow-0rtt

and run it under "sudo strace -e trace=bind,setuid", then connecting
there from an H3 client. The bind() syscall must succeed despite the
user id having been switched.
2023-08-29 11:11:50 +02:00
..
design-thoughts CLEANUP: doc: remove 21 totally obsolete docs 2023-05-31 15:17:28 +02:00
internals CLEANUP: doc: remove 21 totally obsolete docs 2023-05-31 15:17:28 +02:00
lua-api DOC: lua: fix core.register_action typo 2023-08-25 11:52:43 +02:00
51Degrees-device-detection.txt BUILD: makefile: refactor support for 51DEGREES v3/v4 2022-12-23 16:53:35 +01:00
acl.fig
architecture.txt
coding-style.txt
configuration.txt MEDIUM: capabilities: enable support for Linux capabilities 2023-08-29 11:11:50 +02:00
cookie-options.txt
DeviceAtlas-device-detection.txt
gpl.txt
haproxy.1
intro.txt [RELEASE] Released version 2.9-dev0 2023-05-31 16:29:19 +02:00
lgpl.txt
linux-syn-cookies.txt
lua.txt [RELEASE] Released version 2.8-dev8 2023-04-23 10:21:37 +02:00
management.txt [RELEASE] Released version 2.9-dev0 2023-05-31 16:29:19 +02:00
netscaler-client-ip-insertion-protocol.txt
network-namespaces.txt
peers-v2.0.txt CLEANUP: assorted typo fixes in the code and comments 2022-12-07 09:08:18 +01:00
peers.txt CLEANUP: assorted typo fixes in the code and comments 2022-12-07 09:08:18 +01:00
proxy-protocol.txt DOC: proxy-protocol: fix wrong byte in provided example 2023-02-12 09:26:48 +01:00
queuing.fig
regression-testing.txt
seamless_reload.txt
SOCKS4.protocol.txt
SPOE.txt CLEANUP: assorted typo fixes in the code and comments 2023-04-01 18:33:40 +02:00
WURFL-device-detection.txt