TCP Connection Proxying with HAProxy: A Beginner’s Guide

Introduction

If you are a beginner system administrator or developer, you’ve probably faced the task of managing network traffic. One of the most powerful tools for this is HAProxy, a high-performance load balancer for TCP and HTTP.

In this article, we will cover:

• what TCP proxying is,
• why to use HAProxy,
• a sample configuration for beginners,
• security and monitoring tips.

What is TCP Proxying?

TCP Proxying is the forwarding of TCP connections from a client to a server (or group of servers) through an intermediary. Unlike an HTTP proxy that operates at the application layer, TCP proxying happens at the transport layer, making it universal for any TCP protocol: from databases to mail services.

Why Use HAProxy?

HAProxy is a lightweight and flexible tool that allows you to:

• 🔄 distribute load between multiple servers;
• ✅ check server availability;
• 📊 provide convenient statistics and monitoring;
• 🔒 handle SSL traffic (termination or passthrough).

HAProxy Configuration Example for TCP Proxying

Below is a configuration that listens for connections on port 4444 and forwards them to a test server.

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log global
    mode http
    option dontlognull
    timeout connect 5000
    timeout client 50000
    timeout server 50000

frontend tcp-frontend
    bind *:4444
    mode tcp
    default_backend tcp-backend

backend tcp-backend
    mode tcp
    balance roundrobin
    option tcp-check
    server server1 192.168.1.100:443 weight 1

Configuration Breakdown

• global — defines base parameters (logging, chroot, user, daemon mode).
• defaults — default options, including timeouts. By default mode http, but in frontend and backend we override it to tcp.
• frontend tcp-frontend — listens on port 4444 and forwards requests to backend.
• backend tcp-backend — balances connections, checks their availability (tcp-check), defines server list.

Step-by-Step HAProxy Setup

1. Install HAProxy:

   # Ubuntu/Debian
   sudo apt update && sudo apt install haproxy
   
   # CentOS/RHEL
   sudo yum install haproxy
   

2. Save the configuration in /etc/haproxy/haproxy.cfg.

3. Check syntax:

   haproxy -c -f /etc/haproxy/haproxy.cfg
   

4. Restart the service:

   sudo systemctl restart haproxy
   sudo systemctl enable haproxy
   

5. Test the connection:

   telnet <haproxy-ip> 4444
   

Monitoring: Statistics Page

To track server and connection status, add the following section:

frontend stats
    bind *:3308
    mode http
    stats enable
    stats uri /haproxy?stats
    stats realm Haproxy\ Statistics
    stats auth admin:securepassword123
    stats admin if TRUE

Open in your browser:

http://<haproxy-ip>:3308/haproxy?stats

Tips for Beginners

• 🔐 Security — use strong passwords and restrict statistics access by IP.

• 🩺 Server health — tcp-check is basic, but you can extend it with checks for specific protocols.

• ⚡ Scaling — add more servers:

  server server2 192.168.1.101:443 weight 1
  server server3 192.168.1.102:443 weight 1
  

• 📝 Logging — check /var/log/haproxy.log (configure rsyslog if needed).

Example Use Cases

• Database load balancing (MySQL, PostgreSQL).
• Mail service proxying (SMTP, IMAP).
• SSL passthrough proxying.
• Single entry point for microservices.

Conclusion

HAProxy makes TCP proxying simple even for beginners. All you need is to configure frontend and backend, add health checks and monitoring — and you have a reliable proxy.

With experience, you can move on to advanced scenarios: SSL termination, ACLs, custom health checks.

Good luck with your setup and load balancing! 🚀