Hi,
currently I’m fiddling around with HAProxy which doesn’t start because the service cannot bind to the desired port 80 or 443.
I’ve read many information on various websites and a possible solution is to add
net.ipv4.ip_nonlocal_bind=1
to /etc/sysctl.conf. I did not try this so far, though.
I guess that this line won’t survive a next update of IPFire, so is there a user file that takes all this additional setting?
Michael
I am very sure that you won’t need this setting. You are probably trying to bind to an incorrect IP address.
I do not believe I’m using the wrong ports, since everybody who uses HAProxy shows the same config file, e.g.
frontend http
bind *:80
#bind *:443
I’ve added this setting to IPFire, running in my testing environment and after a necessary restart, HAProxy successfully starts. Hence my question above for a safe way to add this option to my productive firewall as well.
A netstat does not reveal any used ports, btw.
I’m starting HAProxy from command line using
haproxy -f /etc/haproxy/haproxy.cfg
Anyway, I consider running HAProxy on a RaspberryPi in orange network now, for security reasons…
Michael
Why do you not add the IP addresses you actually want to bind to? I am very sure you do not want to bind to all of them.
That’s correct but I’ve already tried everything so far, e.g. the IP address of the red interface:172.17.0.2 (IPFire is behind a Fritzbox 6591 as exposed host), the public IP address of my provider which does not work of course because of the exposed host setup.
Each of them caused the issue that 0.0.0.0:80 could not be bound by Haproxy.
So I’m curious, which IP address(es) will possibly apply? One of the other interfaces, orange, green, blue? Should I use 172.0.0.1?
An idea btw. it would be helpful to provide an appropriate example setup in the wiki on how to use Haproxy as a reverse proxy. This would probably avoid issues like the one I’m facing right now. But that’s a different story.
Michael
Are you sure you don’t have anything else listening on that port already?
Quite sure to my knowledge.
I’ve used several commands to find used port 80, e.g.
ss - tulw
netstat
lsof
None of them revealed any port 80. Hence I’m still confident the above option for sysctl.conf will do the job as already reported for my testing VM.
The sysctl option won’t help you at all. You can then bind to an IP address that the system does not have, but that is not going to help you to pass any packets through haproxy.
HAProxy will actually tell you why it cannot bind to what you want. So, what does it say?