MAJOR: haproxy: add wrapper around haproxy on start

this will allow LD_PRELOAD to work on HAProxy

Author: dkorunic

.aspell.yml

@@ -56,3 +56,4 @@ allowed:
   - svc
   - frontent
   - pprof
+  - preload

.gitignore

@@ -9,3 +9,4 @@ bin/check-commit
 .local/*
 __debug_bin*
 pkg/protection/libblock_secrets.so
+pkg/protection/haproxy_wrapper

build/Dockerfile

@@ -17,7 +17,9 @@ RUN apk add --no-cache build-base gcc musl-dev
 WORKDIR /src
 
 COPY pkg/protection/block_secrets.c .
+COPY pkg/protection/haproxy_wrapper.c .
 RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
+RUN gcc -O3 -Wall -g -s -o haproxy_wrapper haproxy_wrapper.c
 
 FROM golang:1.24-alpine AS builder
 RUN apk --no-cache add git openssh
@@ -46,12 +48,15 @@ ENV S6_USER=haproxy
 ENV S6_GROUP=haproxy
 
 COPY /fs /
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+COPY --from=builder-c /src/haproxy_wrapper /usr/local/sbin/haproxy_wrapper
 
 RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi /etc/haproxy/dataplaneapi.yml && \
     rm -f /usr/local/bin/dataplaneapi-v2 /usr/bin/dataplaneapi-v2 && \
-    chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
-    chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
+    chgrp -R haproxy /usr/local/etc/haproxy /run /var /usr/local/sbin/haproxy_wrapper && \
+    chmod -R ug+rwx /usr/local/etc/haproxy /run /var /usr/local/sbin/haproxy_wrapper && \
+    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy_wrapper && \
     case "${TARGETPLATFORM}" in \
         "linux/arm64")      S6_ARCH=aarch64      ;; \
         "linux/amd64")      S6_ARCH=x86_64       ;; \
@@ -74,6 +79,4 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
 
 COPY --from=builder /src/fs/haproxy-ingress-controller .
 
-COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
-
 ENTRYPOINT ["/start.sh"]

build/Dockerfile.dev

@@ -15,7 +15,9 @@ FROM haproxytech/haproxy-alpine:3.2 AS builder-c
 RUN apk add --no-cache build-base gcc musl-dev
 WORKDIR /src
 COPY pkg/protection/block_secrets.c .
+COPY pkg/protection/haproxy_wrapper.c .
 RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
+RUN gcc -O3 -Wall -g -s -o haproxy_wrapper haproxy_wrapper.c
 
 FROM haproxytech/haproxy-alpine:3.2
 ARG TARGETPLATFORM
@@ -26,11 +28,14 @@ ENV S6_USER=haproxy
 ENV S6_GROUP=haproxy
 
 COPY /fs /
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+COPY --from=builder-c /src/haproxy_wrapper /usr/local/sbin/haproxy_wrapper
 
 RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi /etc/haproxy/dataplaneapi.yml && \
-    chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
-    chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
+    chgrp -R haproxy /usr/local/etc/haproxy /run /var /usr/local/sbin/haproxy_wrapper && \
+    chmod -R ug+rwx /usr/local/etc/haproxy /run /var /usr/local/sbin/haproxy_wrapper && \
+    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy_wrapper && \
     case "${TARGETPLATFORM}" in \
         "linux/arm64")      S6_ARCH=aarch64      ;; \
         "linux/amd64")      S6_ARCH=x86_64       ;; \
@@ -53,6 +58,4 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
 
 COPY kubernetes-ingress  ./haproxy-ingress-controller
 
-COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
-
 ENTRYPOINT ["/start.sh"]

build/Dockerfile.pebble

@@ -16,7 +16,9 @@ RUN apk add --no-cache build-base gcc musl-dev
 WORKDIR /src
 
 COPY pkg/protection/block_secrets.c .
+COPY pkg/protection/haproxy_wrapper.c .
 RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
+RUN gcc -O3 -Wall -g -s -o haproxy_wrapper haproxy_wrapper.c
 
 FROM golang:1.24-alpine AS builder
 
@@ -42,11 +44,14 @@ FROM haproxytech/haproxy-alpine:3.2
 ARG TARGETPLATFORM
 
 COPY /fs /
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+COPY --from=builder-c /src/haproxy_wrapper /usr/local/sbin/haproxy_wrapper
 
 RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi && \
-    chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
-    chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
+    chgrp -R haproxy /usr/local/etc/haproxy /run /var /usr/local/sbin/haproxy_wrapper && \
+    chmod -R ug+rwx /usr/local/etc/haproxy /run /var /usr/local/sbin/haproxy_wrapper && \
+    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy_wrapper && \
     chown -R haproxy:haproxy /var/lib/pebble/default && \
     chmod ugo+rwx /var/lib/pebble/default/* && \
     rm -rf /etc/services.d/haproxy && \
@@ -57,6 +62,4 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
 COPY --from=builder /go/bin/pebble /usr/local/bin
 COPY --from=builder /src/fs/haproxy-ingress-controller .
 
-COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
-
 ENTRYPOINT ["/start-pebble.sh"]

fs/etc/s6-overlay/s6-rc.d/haproxy/run

@@ -25,4 +25,4 @@ echo "Memory limit for HAProxy: ${MEMLIMIT}MiB"
 export LD_PRELOAD=/usr/local/lib/libblock_secrets.so
 
 # if master socket is changed, that needs to be aligned in pkg/haproxy/process/interface.go
-exec /usr/local/sbin/haproxy -W -db -m "${MEMLIMIT}" -S /var/run/haproxy-master.sock,level,admin -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/haproxy-aux.cfg
+exec /usr/local/sbin/haproxy_wrapper -W -db -m "${MEMLIMIT}" -S /var/run/haproxy-master.sock,level,admin -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/haproxy-aux.cfg

pkg/protection/haproxy_wrapper.c

@@ -0,0 +1,49 @@
+/* Copyright 2025 HAProxy Technologies LLC                                    */
+/*                                                                            */
+/* Licensed under the Apache License, Version 2.0 (the "License");            */
+/* you may not use this file except in compliance with the License.           */
+/* You may obtain a copy of the License at                                    */
+/*                                                                            */
+/*    http://www.apache.org/licenses/LICENSE-2.0                              */
+/*                                                                            */
+/* Unless required by applicable law or agreed to in writing, software        */
+/* distributed under the License is distributed on an "AS IS" BASIS,          */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
+/* See the License for the specific language governing permissions and        */
+/* limitations under the License.                                             */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define LIB_PATH "LD_PRELOAD=/usr/local/lib/libblock_secrets.so"
+#define TARGET_PATH "/usr/local/sbin/haproxy"
+
+int main(int argc, char *argv[], char *envp[]) {
+    char **newargv = malloc((argc + 1) * sizeof(char *));
+    if (!newargv) {
+        perror("malloc");
+        return 1;
+    }
+    newargv[0] = (char *)TARGET_PATH;
+    for (int i = 1; i < argc; i++) {
+        newargv[i] = argv[i];
+    }
+    newargv[argc] = NULL;
+
+    int envc = 0;
+    while (environ[envc]) envc++;
+
+    char **new_envp = malloc((envc + 2) * sizeof(char *));
+    for (int i = 0; i < envc; i++) {
+        new_envp[i] = environ[i];
+    }
+    new_envp[envc] = LIB_PATH;
+    new_envp[envc + 1] = NULL;
+
+    execve(TARGET_PATH, newargv, new_envp);
+
+    perror("execve");
+    return 1;
+}