TCP Routing based on source IP and port

npn · March 29, 2023, 11:53am

Hi all,

I am quite new to using HA Proxy and I have the following problem when forwarding TCP connections using HA Proxy v. 2.4.7:

I have two clients in the frontend, each communicating via ports 4001-4032. The HA proxy should forward the requests of the clients. Client 1 should be connected to server 1 and client 2 to server 2, whereby port 4001 in the frontend is connected to port 4001 in the backend and so on. The clients are deployed as docker containers with AWS Fargate and the HA Proxy is deployed in a AWS EC2 Instance (don’t know if this information really matters). The composition looks like this:

Here are my questions:
Is this configuration possible? If not, what changes need to be made?

I have tried several approaches, none of which have worked so far. For example, I tried to configure the configuration file as follows. For simplicity, I wanted to connect only one port and client first:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
pidfile /var/run/haproxy.pid

maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats

defaults
timeout connect 5m
timeout client 60m
timeout server 60m
default-server init-addr last,libc,none

log global
mode tcp
option tcplog
maxconn 3000

frontend fe-client-1
bind 10.221.105.161:4001
use_backend be-server-1

backend be-server-1
server server1 10.162.201.100

When using this, I get the following error:

(6811) : Starting frontend fe-client-1: cannot bind socket (Cannot assign requested address) [10.221.105.161:4001]

This approach on the other hand works:

frontend fe-client-1
bind *:4001
use_backend be-server-1

backend be-server-1
server server1 10.162.201.100

The problem here is that HA Proxy is now listening to both clients at once.

If you should need more information, please let me know. Thank you very much for your help!

stormrover · April 1, 2023, 6:03pm

This happens because you’re asking HAProxy to bind to (or take control of) someone else’s address. Bind is not supposed to match someone else’s IP. This is to pick the IP of the machine/instance/VM that HAProxy will listen on. Using bind *:xxxx instructs HAProxy to listen on 0.0.0.0, which is usually what is desired.

What you want is for HAProxy to listen for both on the same connection then determine where to send that based on the source IP address, so something like this:

frontend incoming_requests
    bind *:4001-4032
    acl client1 src 10.221.105.161
    acl client2 src 10.221.78.124
    use_backend be-server-1 if client1
    use_backend be-server-2 if client2

backend be-server-1
    server server1 10.162.201.100

backend be-server-2
    server server2 10.xx.xx.xx

npn · April 6, 2023, 8:54am

Your suggested solution works - Thank you very much!

Topic		Replies	Views
HA Proxy Configure with multiple ports Help!	1	15719	April 11, 2017
Single TCP port forward with haproxy Help!	8	24936	November 7, 2018
Multiple port on the same server behind the same backend Help!	0	1001	July 5, 2021
X-Forwarded-For in TCP Mode Help!	2	6765	September 8, 2018
Proxy Protocol won't work with TCP Load balancing Help!	4	527	July 12, 2022

TCP Routing based on source IP and port

Related topics