Netgate SG-1000 microFirewall

Author Topic: HAProxy Transparent ClientIP security question  (Read 93 times)

0 Members and 1 Guest are viewing this topic.

Offline lido14

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
HAProxy Transparent ClientIP security question
« on: January 26, 2018, 02:34:57 pm »
Greetings All,

I have been working with HAProxy for some time now and think it's a wonderful package.  We have recently encountered a scenario where running HAProxy with SSL offloading in transparent mode is a great solution for us.

When not running in transparent mode, HAProxy runs as a non root user.  My concern is in transparent mode, HAProxy runs a root.  In this case, is it simply a matter of a bad enough exploit in HAProxy (or OpenSSL) and our pfSense box gets owned, or are there any mitigating circumstances that perhaps lessen the magnitude of such an event?

I did a ps -aux from the pfSense console and notice just about all processes are running as root.  I know many of these don't process external input, but some do.  So I'm trying to properly put running HAProxy as root into perspective.

Thank you!
« Last Edit: January 26, 2018, 02:42:48 pm by lido14 »