Container - haproxy - cannot bind port 443

genesispro · February 27, 2026, 3:04pm

I am trying to use haproxy in a container but the moment I add bind *.443 I get the following error

[ALERT] (3) : Binding [/usr/local/etc/haproxy/haproxy.cfg:29] for frontend https_in: protocol tcpv4: cannot bind socket (Permission denied) for [0.0.0.0:443].

If I change to 8443 it works but I don’t want to use 8443. I want the 443. Is it possible?

I noticed that reverse proxy is using also port 443 and I disabled it just in case but it didn’t help. I tried 444 with the same error. It seams that lower ports are not available for containers? If that is the case is there a parameter that I can allow it?

infabo · February 27, 2026, 3:05pm

use reverse proxy feature. sounds stupid to reverse proxy a haproxy. But give it a try.

Maybe it also helps to disable www-ssl and api-ssl under /ip/services to get port 443 available.

genesispro · February 27, 2026, 3:07pm

that was my next question but I didn’t want to extend that much this topic.

Also I just remembered that Mikrotik’s example uses bind 443

global
log stdout format raw local0 info
stats socket :9999 level admin expose-fd listeners
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
ssl-default-server-ciphers EECDH+AESGCM:EDH+AESGCM
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-server-options ssl-min-ver TLSv1.2
tune.ssl.default-dh-param 2048
tune.bufsize 43768
tune.ssl.cachesize 1000000
nbthread 8

defaults
log global
timeout client 10s
timeout connect 10s
timeout server 10s
timeout http-request 10s

frontend frontend_webapp
mode http
option httplog
option http-server-close
option forwardfor except 127.0.0.0/8
stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10000 }
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/certs/
http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request set-header X-Forwarded-For %[src]
use_backend backend_webapp

backend backend_webapp
mode http
balance roundrobin
option http-server-close
option forwardfor
server server1 172.17.0.2:8080

infabo · February 27, 2026, 3:15pm

You need to provide at least your /container and /interface/veth config. I don't know what you are doing.

genesispro · February 27, 2026, 3:26pm

2026-02-27 17:17:11 by RouterOS 7.22beta6

model = RDS2216-2XG-4S+4XS-2XQ

/interface veth
add address="" container-mac-address=6A:70:45:66:01:8E dhcp=yes gateway="" gateway6="" mac-address=6A:70:45:66:01:8D name=veth-haproxy

/interface bridge port
add bridge=bridgeTrunk interface=veth-haproxy

/container
add interface=veth-haproxy layer-dir=
/nvme20/containers/haproxy/layer mountlists=HAPROXY name=haproxy
remote-image=haproxy:latest root-dir=/nvme20/containers/haproxy/root
start-on-boot=yes workdir=/var/lib/haproxy
/container mounts
add dst=/usr/local/etc/haproxy list=HAPROXY src=
/nvme20/containers/haproxy/config

haproxy.cfg ———————the mikrotik’s sample modified slightly————————————–

global
log stdout format raw local0 info
stats socket :9999 level admin expose-fd listeners
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
ssl-default-server-ciphers EECDH+AESGCM:EDH+AESGCM
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-server-options ssl-min-ver TLSv1.2
tune.ssl.default-dh-param 2048
tune.bufsize 43768
tune.ssl.cachesize 1000000
nbthread 8

defaults
log global
timeout client 10s
timeout connect 10s
timeout server 10s
timeout http-request 10s

frontend https_in
mode http
option httplog
option http-server-close
option forwardfor except 127.0.0.0/8
stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10000 }

bind *:443 ssl crt /usr/local/etc/haproxy/certs/
http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Host %[req.hdr(host)]
http-request set-header X-Forwarded-For %[src]
acl host_code.xxx.gr ssl_fc_sni code.xxx.gr
use_backend https_code.xxx.gr if host_code.xxx.gr

backend https_code.xxx.gr
mode http
balance roundrobin
option http-server-close
option forwardfor
server code.xxx.gr 192.168.80.80:8080

infabo · February 27, 2026, 3:33pm

This should work. Unless I am overseeing something. I also have a container listening on 443 and it works fine.

genesispro · February 27, 2026, 4:00pm

I just gave a try to the reverse proxy.

It worked but the options are pretty basic.

Especially the max sessions of 1000 sounds very small.

It also looks like it only listens to one port and it says that it only works for http connections. I also need for example to proxy ssl websockets.

It sounds like I need move back to a VM running haproxy although it would be nice to know that haproxy could work in port 443 in the container

LoPollo · February 27, 2026, 4:17pm

Hi,

may I suggest to explicitly set root user for this routeros container and retry? I think this may be the scope of the issue, so give it a shot (for the permission denied on port 443, if that socket is free)

Good luck

genesispro · February 27, 2026, 4:38pm

how do I do that? How do I set root user for this container?

LoPollo · February 27, 2026, 5:06pm

try
/container/set [find name=”haproxy"] user=root

genesispro · February 27, 2026, 5:28pm

thx it worked

infabo · February 27, 2026, 7:01pm

Very interesting. Could be handy. The docs have a hint also.

"Some containers will require additional privileges in order to be able to run properly:"

/container/set 0 user=0:0
Container - RouterOS - MikroTik Documentation