HAProxy Unified Gateway

Troubleshooting

On this page

Several techniques exist for diagnosing problems with the HAProxy Unified Gateway. They include viewing logs, viewing pod details, viewing the load balancer configuration, and gaining shell access into the pod to check files.

View the generated load balancer configuration Jump to heading

To view the load balancer configuration that HAProxy Unified Gateway generated based on the Routes you defined and the application pods associated with your services, issue the following command:

nix
kubectl exec -n haproxy-unified-gateway \
$(kubectl get pods -A \
  | awk '/haproxy-unified-gateway/ && !/default/ && /Running/' \
  | awk 'NR==1{print $2}') -- \
cat /usr/local/hug/haproxy.cfg
nix
kubectl exec -n haproxy-unified-gateway \
$(kubectl get pods -A \
  | awk '/haproxy-unified-gateway/ && !/default/ && /Running/' \
  | awk 'NR==1{print $2}') -- \
cat /usr/local/hug/haproxy.cfg

The entire generated load balancer config displays:

output
text
# _md5hash=cc3476ce00b5b60f2d030a0cf7ebdf52
# _version=4
# ._   _    _    ____
# | | | |  / \  |  _ \ _ __ _____  ___   _
# | |_| | / _ \ | |_) | '__/ _ \ \/ / | | |
# |  _  |/ ___ \|  __/| | | (_) >  <| |_| |
# |_| |_/_/   \_\_|   |_|  \___/_/\_\\__, |
# .                                  |___/
# ╦ ╦╦ ╦╔═╗
# ╠═╣║ ║║ ╦
# ╩ ╩╚═╝╚═╝
# HAProxy Technologies
# https://www.haproxy.org/
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under HAProxy Unified Gateway for k8s control
global
  daemon
  default-path config
  localpeer local
  master-worker
  maxconn 32000
  pidfile /var/run/haproxy.pid
  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
  stats timeout 36000
  tune.lua.bool-sample-conversion normal
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES
  hard-stop-after 1800000
  log stdout format raw daemon
  lua-load-per-thread /usr/local/hug/route.lua
defaults haproxytech
  timeout http-request 5000
  timeout connect 5000
  timeout client 50000
  timeout queue 5000
  timeout server 50000
  timeout tunnel 3600000
  timeout http-keep-alive 60000
peers localinstance
  peer local 127.0.0.1:10000
frontend health_check_socket from haproxytech
  mode http
  # pebble uses this socket to perform health checks
  bind unix@/var/run/haproxy/health.sock
  monitor-uri /healthz
  option dontlog-normal
frontend healthz from haproxytech
  mode http
  monitor-uri /healthz
  option dontlog-normal
frontend stats from haproxytech
  mode http
  stats enable
  stats uri /
  stats refresh 10s
  stats show-legends
  http-request set-var(txn.base) base
  http-request use-service prometheus-exporter if { path /metrics }
backend backend_not_found from haproxytech
  mode http
  http-request return status 404 content-type html string "NOT FOUND"
output
text
# _md5hash=cc3476ce00b5b60f2d030a0cf7ebdf52
# _version=4
# ._   _    _    ____
# | | | |  / \  |  _ \ _ __ _____  ___   _
# | |_| | / _ \ | |_) | '__/ _ \ \/ / | | |
# |  _  |/ ___ \|  __/| | | (_) >  <| |_| |
# |_| |_/_/   \_\_|   |_|  \___/_/\_\\__, |
# .                                  |___/
# ╦ ╦╦ ╦╔═╗
# ╠═╣║ ║║ ╦
# ╩ ╩╚═╝╚═╝
# HAProxy Technologies
# https://www.haproxy.org/
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under HAProxy Unified Gateway for k8s control
global
  daemon
  default-path config
  localpeer local
  master-worker
  maxconn 32000
  pidfile /var/run/haproxy.pid
  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
  stats timeout 36000
  tune.lua.bool-sample-conversion normal
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES
  hard-stop-after 1800000
  log stdout format raw daemon
  lua-load-per-thread /usr/local/hug/route.lua
defaults haproxytech
  timeout http-request 5000
  timeout connect 5000
  timeout client 50000
  timeout queue 5000
  timeout server 50000
  timeout tunnel 3600000
  timeout http-keep-alive 60000
peers localinstance
  peer local 127.0.0.1:10000
frontend health_check_socket from haproxytech
  mode http
  # pebble uses this socket to perform health checks
  bind unix@/var/run/haproxy/health.sock
  monitor-uri /healthz
  option dontlog-normal
frontend healthz from haproxytech
  mode http
  monitor-uri /healthz
  option dontlog-normal
frontend stats from haproxytech
  mode http
  stats enable
  stats uri /
  stats refresh 10s
  stats show-legends
  http-request set-var(txn.base) base
  http-request use-service prometheus-exporter if { path /metrics }
backend backend_not_found from haproxytech
  mode http
  http-request return status 404 content-type html string "NOT FOUND"

Note that while this configuration file exists within the pod, you cannot edit it directly, as it is managed by HAProxy Unified Gateway. Any changes you make will be discarded.

Example: verify generated load balancer configuration Jump to heading

You can check the generated load balancer configuration to confirm that HAProxy Unified Gateway has implemented your HTTPRoutes. In the logs there should be a message similar to the following:

2025-11-21T02:31:56.035Z [hug] {"time":"2025-11-21T02:31:56.03513256Z","level":"INFO","msg":"Haproxy configuration update result","result":{"Error":null,"UpdatedSectionsMetaData":{"link1_default_api-svc_80__":{"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}},"link1_default_example-haproxy-gateway_http":{"hug":{"Gateway":{"default/example-haproxy-gateway":{"Generation":1,"LinkID":"link1"}}}},"link1_default_web-svc_80__":{"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}}}},"category":"app","sourceFile":{"file":"main.go","line":319}}
2025-11-21T02:31:56.035Z [hug] {"time":"2025-11-21T02:31:56.03513256Z","level":"INFO","msg":"Haproxy configuration update result","result":{"Error":null,"UpdatedSectionsMetaData":{"link1_default_api-svc_80__":{"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}},"link1_default_example-haproxy-gateway_http":{"hug":{"Gateway":{"default/example-haproxy-gateway":{"Generation":1,"LinkID":"link1"}}}},"link1_default_web-svc_80__":{"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}}}},"category":"app","sourceFile":{"file":"main.go","line":319}}

This indicates that it has created backends for your services, link1_default_api-svc_80__ and link1_default_web-svc_80__ are the services in this example. Verify that the backends exist in the load balancer configuration:

haproxy
backend link1_default_api-svc_80__ from haproxytech # {"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}}
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  timeout server 50000
  default-server check
  server SRV_76e039e9969ef507994e1aee1ee5aa5e0904d8c1 10.0.1.157:5678 enabled
backend link1_default_web-svc_80__ from haproxytech # {"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}}
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  timeout server 50000
  default-server check
  server SRV_1c72e7923842be4d1604a97b081ed06e976fc92d 10.0.1.36:5678 enabled
haproxy
backend link1_default_api-svc_80__ from haproxytech # {"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}}
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  timeout server 50000
  default-server check
  server SRV_76e039e9969ef507994e1aee1ee5aa5e0904d8c1 10.0.1.157:5678 enabled
backend link1_default_web-svc_80__ from haproxytech # {"hug":{"HTTPRoute":{"default/basic-path-routing":{"Generation":1,"LinkID":"link1"}}}}
  mode http
  balance roundrobin
  option forwardfor
  no option abortonclose
  timeout server 50000
  default-server check
  server SRV_1c72e7923842be4d1604a97b081ed06e976fc92d 10.0.1.36:5678 enabled

Here, there are two backends corresponding to the two services. Each has a server entry that corresponds to the application pods:

nix
kubectl get pods -o wide
nix
kubectl get pods -o wide
output
text
NAME                               READY   STATUS    RESTARTS      AGE    IP           NODE      NOMINATED NODE   READINESS GATES
api-svc-669f4cd4cf-9tgxt           1/1     Running   0             56m    10.0.1.157   worker1   <none>           <none>
web-svc-548bcfb489-dz7vg           1/1     Running   0             56m    10.0.1.36    worker1   <none>           <none>
output
text
NAME                               READY   STATUS    RESTARTS      AGE    IP           NODE      NOMINATED NODE   READINESS GATES
api-svc-669f4cd4cf-9tgxt           1/1     Running   0             56m    10.0.1.157   worker1   <none>           <none>
web-svc-548bcfb489-dz7vg           1/1     Running   0             56m    10.0.1.36    worker1   <none>           <none>

The IPs for the backend servers on the server lines match the pod IPs.

You can also check that the generated frontend exists for your Gateway. Given the following Gateway definition:

yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-haproxy-gateway
spec:
  gatewayClassName: haproxy
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    hostname: example.com
    name: http
    port: 8080
    protocol: HTTP
yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-haproxy-gateway
spec:
  gatewayClassName: haproxy
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    hostname: example.com
    name: http
    port: 8080
    protocol: HTTP

We can verify that the load balancer configuration has a frontend representing the Gateway and has bound on port 8080:

haproxy
frontend link1_default_example-haproxy-gateway_http from haproxytech # {"hug":{"Gateway":{"default/example-haproxy-gateway":{"Generation":1,"LinkID":"link1"}}}}
  mode http
  bind 0.0.0.0:8080 name v4
  bind [::]:8080 name v6
  acl route_is_json var(txn.route),bytes(0,1) -m str { # {"hug":"for lua routing"}
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),host_only
  http-request set-var(txn.route) base,map(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_exact.map) # {"hug":"exact domain + exact path"}
  http-request set-var(txn.route,ifnotexists) path,map(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_exact.map) # {"hug":"any domain + exact path"}
  http-request set-var(txn.route,ifnotexists) base,map_beg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_prefix.map) # {"hug":"exact domain + path prefix"}
  http-request set-var(txn.route,ifnotexists) path,map_beg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_prefix.map) # {"hug":"exact domain + path prefix"}
  http-request set-var(txn.route,ifnotexists) base,map_end(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/domain_wildcard_path_exact.map) # {"hug":"domain wildcard + exact path"}
  http-request set-var(txn.route,ifnotexists) path,map_reg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_regex.map) # {"hug":"any domain + path regex"}
  http-request set-var(txn.route,ifnotexists) base,map_reg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_regex.map) # {"hug":"domain wildcard + path prefix or regex, exact domain + path regex"}
  http-request lua.route if route_is_json # {"hug":"lua routing"}
  use_backend %[var(txn.backend)] if route_is_json
  use_backend %[var(txn.route)]
  default_backend backend_not_found
haproxy
frontend link1_default_example-haproxy-gateway_http from haproxytech # {"hug":{"Gateway":{"default/example-haproxy-gateway":{"Generation":1,"LinkID":"link1"}}}}
  mode http
  bind 0.0.0.0:8080 name v4
  bind [::]:8080 name v6
  acl route_is_json var(txn.route),bytes(0,1) -m str { # {"hug":"for lua routing"}
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),host_only
  http-request set-var(txn.route) base,map(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_exact.map) # {"hug":"exact domain + exact path"}
  http-request set-var(txn.route,ifnotexists) path,map(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_exact.map) # {"hug":"any domain + exact path"}
  http-request set-var(txn.route,ifnotexists) base,map_beg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_prefix.map) # {"hug":"exact domain + path prefix"}
  http-request set-var(txn.route,ifnotexists) path,map_beg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_prefix.map) # {"hug":"exact domain + path prefix"}
  http-request set-var(txn.route,ifnotexists) base,map_end(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/domain_wildcard_path_exact.map) # {"hug":"domain wildcard + exact path"}
  http-request set-var(txn.route,ifnotexists) path,map_reg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_regex.map) # {"hug":"any domain + path regex"}
  http-request set-var(txn.route,ifnotexists) base,map_reg(/usr/local/hug/maps/link1_default_example-haproxy-gateway_http/path_regex.map) # {"hug":"domain wildcard + path prefix or regex, exact domain + path regex"}
  http-request lua.route if route_is_json # {"hug":"lua routing"}
  use_backend %[var(txn.backend)] if route_is_json
  use_backend %[var(txn.route)]
  default_backend backend_not_found

View pod details Jump to heading

  1. View the details of the gateway controller pod by using kubectl describe pod:

    nix
    kubectl describe pod haproxy-unified-gateway-65c9d5778b-786zs -n haproxy-unified-gateway
    nix
    kubectl describe pod haproxy-unified-gateway-65c9d5778b-786zs -n haproxy-unified-gateway
    output
    text
    Name:             haproxy-unified-gateway-65c9d5778b-786zs
    Namespace:        haproxy-unified-gateway
    Priority:         0
    Service Account:  haproxy-unified-gateway
    Node:             worker2/172.31.36.249
    Start Time:       Fri, 21 Nov 2025 02:28:24 +0000
    Labels:           pod-template-hash=65c9d5778b
                      run=haproxy-unified-gateway
    Annotations:      <none>
    Status:           Running
    IP:               10.0.2.88
    IPs:
    ...
    output
    text
    Name:             haproxy-unified-gateway-65c9d5778b-786zs
    Namespace:        haproxy-unified-gateway
    Priority:         0
    Service Account:  haproxy-unified-gateway
    Node:             worker2/172.31.36.249
    Start Time:       Fri, 21 Nov 2025 02:28:24 +0000
    Labels:           pod-template-hash=65c9d5778b
                      run=haproxy-unified-gateway
    Annotations:      <none>
    Status:           Running
    IP:               10.0.2.88
    IPs:
    ...

  2. You can also view the YAML that was used to deploy the gateway controller by using kubectl get deployment:

    nix
    kubectl get deployment haproxy-unified-gateway -o yaml --namespace haproxy-unified-gateway
    nix
    kubectl get deployment haproxy-unified-gateway -o yaml --namespace haproxy-unified-gateway
    output
    yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      creationTimestamp: "2025-11-21T02:28:24Z"
      generation: 1
      labels:
        run: haproxy-unified-gateway
      name: haproxy-unified-gateway
      namespace: haproxy-unified-gateway
      resourceVersion: "1480132"
      uid: 516d1586-9e72-45df-a13a-89d97f9002fe
    ...
    output
    yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      creationTimestamp: "2025-11-21T02:28:24Z"
      generation: 1
      labels:
        run: haproxy-unified-gateway
      name: haproxy-unified-gateway
      namespace: haproxy-unified-gateway
      resourceVersion: "1480132"
      uid: 516d1586-9e72-45df-a13a-89d97f9002fe
    ...

Gain shell access into the pod Jump to heading

Use kubectl exec to log into the gateway controller pod to inspect the files:

nix
kubectl exec -it haproxy-unified-gateway-65c9d5778b-786zs -n haproxy-unified-gateway -- /bin/sh
cd /usr/local/hug
ls
nix
kubectl exec -it haproxy-unified-gateway-65c9d5778b-786zs -n haproxy-unified-gateway -- /bin/sh
cd /usr/local/hug
ls
output
text
aux          certlists    certs        errorfiles   haproxy.cfg  maps         patterns     route.lua
output
text
aux          certlists    certs        errorfiles   haproxy.cfg  maps         patterns     route.lua

Check HTTPRoute status Jump to heading

If you cannot make connection to your services, there may be some issue with your HTTPRoute definition. You can verify that your HTTPRoute has been accepted by the Gateway by checking the status property of the HTTPRoute. In the entry for type: Accepted, you should see status: "True". If status: "False", there is some issue in your HTTPRoute definition, and the status may show some error.

nix
kubectl get httproute <httproute_name> -o yaml
nix
kubectl get httproute <httproute_name> -o yaml
output
yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
...
status:
  parents:
  - conditions:
    - lastTransitionTime: "2025-11-21T01:43:09Z"
      message: Route Accepted
      reason: Accepted
      status: "True"
      type: Accepted
...
output
yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
...
status:
  parents:
  - conditions:
    - lastTransitionTime: "2025-11-21T01:43:09Z"
      message: Route Accepted
      reason: Accepted
      status: "True"
      type: Accepted
...

Check GatewayClass status Jump to heading

If HAProxy Unified Gateway is not recognizing changes to your HTTPRoute or your Gateway, or you see messages in the logs similar to this one, stating that your HTTPRoute is UNMANAGED:

text
2025-11-21T02:28:30.867Z [hug] {"time":"2025-11-21T02:28:30.866965282Z","level":"DEBUG","msg":"tree.HTTPRoute UNMANAGED","objectKey":"default/basic-path-routing","category":"gate","sourceFile":{"file":"k8s/gate/tree/HTTPRoute-builder.go","line":219}}
text
2025-11-21T02:28:30.867Z [hug] {"time":"2025-11-21T02:28:30.866965282Z","level":"DEBUG","msg":"tree.HTTPRoute UNMANAGED","objectKey":"default/basic-path-routing","category":"gate","sourceFile":{"file":"k8s/gate/tree/HTTPRoute-builder.go","line":219}}

Make sure that you have deployed your GatewayClass. HAProxy Unified Gateway cannot process your routes and gateways without a GatewayClass definition in place.

You can also verify that your Gateway has been accepted by the GatewayClass by checking the status property of the Gateway. In the entry for type: Accepted, you should see status: "True". If status: "False", there is some issue in your Gateway definition, and the status may show some error.

nix
kubectl get gateway <gateway_name> -o yaml
nix
kubectl get gateway <gateway_name> -o yaml
output
yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
...
status:
  conditions:
  - lastTransitionTime: "2025-11-21T02:31:55Z"
    message: Gateway is programmed
    observedGeneration: 1
    reason: Programmed
    status: "True"
    type: Programmed
  - lastTransitionTime: "2025-11-21T02:31:55Z"
    message: Gateway is accepted
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted
  ...
output
yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
...
status:
  conditions:
  - lastTransitionTime: "2025-11-21T02:31:55Z"
    message: Gateway is programmed
    observedGeneration: 1
    reason: Programmed
    status: "True"
    type: Programmed
  - lastTransitionTime: "2025-11-21T02:31:55Z"
    message: Gateway is accepted
    observedGeneration: 1
    reason: Accepted
    status: "True"
    type: Accepted
  ...

Errors binding on low ports Jump to heading

If the load balancer logs show a message similar to the following:

text
2025-11-17T22:47:57.389Z [haproxy] [ALERT]    (50) : Binding [/usr/local/hug/haproxy.cfg:62] for frontend link1_default_hug-gateway_http: protocol tcpv6: cannot bind socket (Permission denied) for [:::80].
2025-11-17T22:47:57.389Z [haproxy] [ALERT]    (50) : Binding [/usr/local/hug/haproxy.cfg:61] for frontend link1_default_hug-gateway_http: protocol tcpv4: cannot bind socket (Permission denied) for [0.0.0.0:80].
text
2025-11-17T22:47:57.389Z [haproxy] [ALERT]    (50) : Binding [/usr/local/hug/haproxy.cfg:62] for frontend link1_default_hug-gateway_http: protocol tcpv6: cannot bind socket (Permission denied) for [:::80].
2025-11-17T22:47:57.389Z [haproxy] [ALERT]    (50) : Binding [/usr/local/hug/haproxy.cfg:61] for frontend link1_default_hug-gateway_http: protocol tcpv4: cannot bind socket (Permission denied) for [0.0.0.0:80].

Your gateway controller pods may not be able to bind on low ports due to some security restrictions in your cluster. Check that the gateway controller deployment has NET_BIND_SERVICE capabilitiy. If it has this capability and the load balancer still cannot bind, you may have pod security measures in place that prevent pods from binding on low ports.

nix
kubectl get deployment haproxy-unified-gateway -o yaml --namespace haproxy-unified-gateway
nix
kubectl get deployment haproxy-unified-gateway -o yaml --namespace haproxy-unified-gateway
controller.yaml
yaml
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: haproxy-unified-gateway
   ...
          securityContext:
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            runAsUser: 1000
            runAsGroup: 1000
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
  ...
controller.yaml
yaml
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: haproxy-unified-gateway
   ...
          securityContext:
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            runAsUser: 1000
            runAsGroup: 1000
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
  ...

Do you have any suggestions on how we can improve the content of this page?

Previous page HugGate CRD
© 2026 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences