HAProxy service fails when TCP proxy settings are enable - source 0.0.0.0 usesrc clientip

Help!
1

Greetings Community!

I’ve been unable to determine why the following option “source 0.0.0.0 usesrc clientip” won’t allow the haproxy.service to start.

Error messages:

× haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2025-06-30 08:45:56 CDT; 6s ago
Duration: 3d 20h 57min 59.560s
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 118518 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=1/FAILURE)
Main PID: 118518 (code=exited, status=1/FAILURE)
CPU: 75ms

Jun 30 08:45:56 km-lb01 systemd[1]: Failed to start haproxy.service - HAProxy Load Balancer.
Jun 30 08:45:56 km-lb01 systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Jun 30 08:45:56 km-lb01 systemd[1]: haproxy.service: Start request repeated too quickly.
Jun 30 08:45:56 km-lb01 systemd[1]: haproxy.service: Failed with result ‘exit-code’.
Jun 30 08:45:56 km-lb01 systemd[1]: Failed to start haproxy.service - HAProxy Load Balancer.

And:

Jun 30 08:45:56 km-lb01 systemd[1]: Failed to start haproxy.service - HAProxy Load Balancer.
name@server:~$ journalctl -xeu haproxy.service
░░ An ExecStart= process belonging to unit haproxy.service has exited.
░░
░░ The process’ exit code is ‘exited’ and its exit status is 1.
Jun 30 08:45:56 km-lb01 systemd[1]: haproxy.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ The unit haproxy.service has entered the ‘failed’ state with result ‘exit-code’.
Jun 30 08:45:56 km-lb01 systemd[1]: Failed to start haproxy.service - HAProxy Load Balancer.
░░ Subject: A start job for unit haproxy.service has failed
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ A start job for unit haproxy.service has finished with a failure.
░░
░░ The job identifier is 264029 and the job result is failed.
Jun 30 08:45:56 km-lb01 systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
░░ Subject: Automatic restarting of a unit has been scheduled
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ Automatic restarting of the unit haproxy.service has been scheduled, as the result for
░░ the configured Restart= setting for the unit.
Jun 30 08:45:56 km-lb01 systemd[1]: haproxy.service: Start request repeated too quickly.
Jun 30 08:45:56 km-lb01 systemd[1]: haproxy.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ The unit haproxy.service has entered the ‘failed’ state with result ‘exit-code’.
Jun 30 08:45:56 servername01 systemd[1]: Failed to start haproxy.service - HAProxy Load Balancer.
░░ Subject: A start job for unit haproxy.service has failed
░░ Defined-By: systemd
░░ Support: Enterprise open source support | Ubuntu
░░
░░ A start job for unit haproxy.service has finished with a failure.
░░
░░ The job identifier is 264134 and the job result is failed.
lines 1172-1210/1210 (END)

Config:

cat /etc/haproxy/haproxy.cfg

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# SSL options
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate

ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
log global
mode http
option tcplog
option dontlognull
timeout http-request 5000
timeout connect 5000
timeout client 900000
timeout server 900000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

#Frontend Servers

frontend sitename01-443
mode tcp
bind 10.91.0.91:443 name 10.91.0.91:443 transparent
default_backend sitename01-443

#Backend Servers

backend sitename01-443
mode tcp
balance leastconn
stick on src
stick-table type ip size 1048576 expire 900000
server 10.91.0.12-admin 10.91.0.12:443 check
server 10.91.0.22-admin 10.91.0.22:443 check

source 0.0.0.0 usesrc clientip

Persist Transparent Settings for Ubuntu

This will be used to ensure that we persist the iptables and routing rules when we are configuring transparent proxying. Ensure you follow the steps here: Transparent Proxying & Binding with HAProxy & ALOHA Load Balancer
Run the following:

sudo apt update
sudo apt install ifupdown
sudo iptables -t mangle -N DIVERT
sudo iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
sudo iptables -t mangle -A DIVERT -j MARK --set-mark 1
sudo iptables -t mangle -A DIVERT -j ACCEPT
sudo ip rule add fwmark 1 lookup 100
sudo ip route add local 0.0.0.0/0 dev lo table 100
sudo mkdir /etc/network/if-post-down.d
sudo bash -c 'cat <<EOF >>/etc/network/if-pre-up.d/iptablesload
#!/bin/sh
/usr/sbin/iptables-restore < /etc/iptables.rules
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
exit 0
EOF'
sudo chmod +x /etc/network/if-pre-up.d/iptablesload
sudo bash -c 'cat <<EOF >>/etc/network/if-post-down.d/iptablessave
#!/bin/sh
/usr/sbin/iptables-save > /etc/iptables.rules
exit 0
EOF'
sudo chmod +x /etc/network/if-post-down.d/iptablessave

Always make sure you reboot after making these changes
After reboot, run the following:
ip route list table 100
Should return:
local default dev lo scope host
ip rule list table 100
Should return:

32764:  from all fwmark 0x1 lookup 100
32765:  from all fwmark 0x1 lookup 100

sudo iptables -t mangle -L
Should return:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DIVERT     tcp  --  anywhere             anywhere             socket
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain DIVERT (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK set 0x1
ACCEPT     all  --  anywhere             anywhere

sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.ip_nonlocal_bind=1

Reboot after the above commands are added to /etc/sysctl.conf

IP Route:

default via 10.91.0.1 dev ens192 proto static
10.91.0.0/24 dev ens192 proto kernel scope link src 10.91.0.101

HAProxy version 2.8.5-1
Ubuntu version 24.04.2 LTS