TCP Routing based on source IP and port

Hi all,

I am quite new to using HA Proxy and I have the following problem when forwarding TCP connections using HA Proxy v. 2.4.7:

I have two clients in the frontend, each communicating via ports 4001-4032. The HA proxy should forward the requests of the clients. Client 1 should be connected to server 1 and client 2 to server 2, whereby port 4001 in the frontend is connected to port 4001 in the backend and so on. The clients are deployed as docker containers with AWS Fargate and the HA Proxy is deployed in a AWS EC2 Instance (don’t know if this information really matters). The composition looks like this:


Here are my questions:
Is this configuration possible? If not, what changes need to be made?

I have tried several approaches, none of which have worked so far. For example, I tried to configure the configuration file as follows. For simplicity, I wanted to connect only one port and client first:

log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
pidfile /var/run/

maxconn 4000
user haproxy
group haproxy
stats socket /var/lib/haproxy/stats

timeout connect 5m
timeout client 60m
timeout server 60m
default-server init-addr last,libc,none

log global
mode tcp
option tcplog
maxconn 3000

frontend fe-client-1
use_backend be-server-1

backend be-server-1
server server1

When using this, I get the following error:

(6811) : Starting frontend fe-client-1: cannot bind socket (Cannot assign requested address) []

This approach on the other hand works:

frontend fe-client-1
bind *:4001
use_backend be-server-1

backend be-server-1
server server1

The problem here is that HA Proxy is now listening to both clients at once.

If you should need more information, please let me know. Thank you very much for your help!

This happens because you’re asking HAProxy to bind to (or take control of) someone else’s address. Bind is not supposed to match someone else’s IP. This is to pick the IP of the machine/instance/VM that HAProxy will listen on. Using bind *:xxxx instructs HAProxy to listen on, which is usually what is desired.

What you want is for HAProxy to listen for both on the same connection then determine where to send that based on the source IP address, so something like this:

frontend incoming_requests
    bind *:4001-4032
    acl client1 src
    acl client2 src
    use_backend be-server-1 if client1
    use_backend be-server-2 if client2

backend be-server-1
    server server1

backend be-server-2
    server server2 10.xx.xx.xx
1 Like

Your suggested solution works - Thank you very much!

1 Like