Skip to content
🏎 Built-from-source container image of the HAProxy load balancer
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
glibc
musl
rootfs/etc
tests
LICENSE
README.md

README.md

haproxy (container image)

Built-from-source container image of the haproxy HTTP server

Available at ricardbejarano/haproxy.

Tags

1.9.8-glibc, 1.9.8, glibc, latest (glibc/Dockerfile)

1.9.8-musl, musl (musl/Dockerfile)

Features

  • Super tiny (glibc-based is ~11.6MB and musl-based is ~18.6MB)
  • Built from source, including libraries
  • Built FROM scratch, see the Filesystem section below for an exhaustive list of the image's contents
  • Reduced attack surface (no bash, no UNIX tools, no package manager...)
  • Built with exploit mitigations enabled (see Security)

Building

To build the glibc-based image:

docker build -t haproxy:glibc -f glibc/Dockerfile .

To build the musl-based image:

docker build -t haproxy:musl -f musl/Dockerfile .

Security

This image attempts to build a secure HAProxy container image.

It does so by the following ways:

  • downloading and verifying the source code of HAProxy and every library it is built with,
  • packaging the image with only those files required during runtime (see Filesystem),
  • by enforcing a series of exploit mitigations (PIE, full RELRO, full SSP, NX and Fortify)

Verifying the presence of exploit mitigations

To check whether a binary in a container image has those mitigations enabled, use tests/checksec.sh.

Usage

usage: checksec.sh docker_image executable_path

Container-based wrapper for checksec.sh.
Requires a running Docker daemon.

Example:

  $ checksec.sh ricardbejarano/haproxy:glibc /haproxy

  Extracts the '/haproxy' binary from the 'ricardbejarano/haproxy:glibc' image,
  downloads checksec (github.com/slimm609/checksec.sh) and runs it on the
  binary.
  Everything runs inside containers.

Example:

Testing the /haproxy binary in ricardbejarano/haproxy:glibc:

$ bash tests/checksec.sh ricardbejarano/haproxy:glibc /haproxy
Downloading ricardbejarano/haproxy:glibc...Done!
Extracting ricardbejarano/haproxy:glibc:/haproxy...Done!
Downloading checksec.sh...Done!
Running checksec.sh:
RELRO        STACK CANARY   NX           PIE           RPATH      RUNPATH      Symbols         FORTIFY   Fortified   Fortifiable   FILE
Full RELRO   Canary found   NX enabled   PIE enabled   No RPATH   No RUNPATH   8807 Symbols    Yes       0           38            /tmp/.checksec-PdU8rBVu
Cleaning up...Done!

This wrapper script works with any binary in a container image. Feel free to use it with any other image.

Other examples:

  • bash tests/checksec.sh debian /bin/bash
  • bash tests/checksec.sh alpine /bin/sh
  • bash tests/checksec.sh haproxy /usr/local/sbin/haproxy

Volumes

  • Bind your configuration file at /etc/haproxy/haproxy.cfg.

Filesystem

The images' contents are:

glibc

Based on the glibc implementation of libc. Dynamically linked.

/
β”œβ”€β”€ etc/
β”‚   β”œβ”€β”€ group
β”‚   β”œβ”€β”€ haproxy/
β”‚   β”‚   └── haproxy.cfg
β”‚   └── passwd
β”œβ”€β”€ haproxy
β”œβ”€β”€ lib/
β”‚   └── x86_64-linux-gnu/
β”‚       β”œβ”€β”€ libc.so.6
β”‚       β”œβ”€β”€ libcrypt.so.1
β”‚       β”œβ”€β”€ libcrypto.so.1.1
β”‚       β”œβ”€β”€ libdl.so.2
β”‚       β”œβ”€β”€ libm.so.6
β”‚       β”œβ”€β”€ libnss_dns.so.2
β”‚       β”œβ”€β”€ libnss_files.so.2
β”‚       β”œβ”€β”€ libpcre.so.1
β”‚       β”œβ”€β”€ libpcreposix.so.0
β”‚       β”œβ”€β”€ libpthread.so.0
β”‚       β”œβ”€β”€ libresolv.so.2
β”‚       β”œβ”€β”€ librt.so.1
β”‚       β”œβ”€β”€ libssl.so.1.1
β”‚       └── libz.so.1
└── lib64/
    └── ld-linux-x86-64.so.2

musl

Based on the musl implementation of libc. Statically linked (with the exception of ld-musl-x86_64.so.1).

/
β”œβ”€β”€ etc/
β”‚   β”œβ”€β”€ group
β”‚   β”œβ”€β”€ haproxy/
β”‚   β”‚   └── haproxy.cfg
β”‚   └── passwd
β”œβ”€β”€ haproxy
└── lib/
    └── ld-musl-x86_64.so.1

License

See LICENSE.

You can’t perform that action at this time.