Why Run HAProxy in Docker? Benefits, Performance & Security Explained

You can run HAProxy as a Docker container. Docker is ubiquitous, and many applications have been containerized, including HAProxy, which was designed for load balancing. Running it as a standalone service on Linux and moving it to Docker is a natural step.

Why run a load balancer inside a Docker container? Does it affect performance or introduce security issues?

This article explains why you might consider running HAProxy in a container, the possible consequences, and how to do it. Note that this focuses on running HAProxy itself, not the HAProxy Kubernetes Ingress Controller.

HAProxy Technologies provides a set of Docker images under the haproxytech namespace, regularly updated with patches and security fixes. The images used in this article are:

HAProxy (Alpine Linux base) – https://hub.docker.com/r/haproxytech/haproxy-alpine

HAProxy (Ubuntu base) – https://hub.docker.com/r/haproxytech/haproxy-ubuntu

HAProxy (Debian base) – https://hub.docker.com/r/haproxytech/haproxy-debian

The commands demonstrated were executed on a Linux workstation and also work on Docker Desktop for Windows or Mac.

Benefits of Using Docker

Docker lets you run HAProxy without compiling, installing dependencies, or modifying your system. The container includes the entire service, so you only need to start it and map its TCP ports. Deployment becomes repeatable and testable, simplifying upgrades.

Performance Impact of Docker

CPU overhead is negligible because Docker runs directly on the host kernel without a hypervisor layer. However, Docker's default bridge network introduces NAT, which can add latency (e.g., 35 µs to 70 µs for small requests). For ultra‑low latency, you can use host networking.

Security Considerations

HAProxy runs as root initially to bind privileged ports (80, 443) but drops to a non‑privileged user after startup. Using the official haproxytech images reduces the risk of malicious containers.

Running HAProxy with Docker

Create a bridge network:

sudo docker network create --driver=bridge mynetwork

Launch three instances of a simple echo‑server web app:

sudo docker run -d \
  --name web1 --net mynetwork jmalloc/echo-server:latest

sudo docker run -d \
  --name web2 --net mynetwork jmalloc/echo-server:latest

sudo docker run -d \
  --name web3 --net mynetwork jmalloc/echo-server:latest

Verify the containers are running with docker ps.

Create an haproxy.cfg file with the following content:

global
  stats socket /var/run/api.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
  log stdout format raw local0 info

defaults
  mode http
  timeout client 10s
  timeout connect 5s
  timeout server 10s
  timeout http-request 10s
  log global

frontend stats
  bind *:8404
  stats enable
  stats uri /
  stats refresh 10s

frontend myfrontend
  bind :80
  default_backend webservers

backend webservers
  server s1 web1:8080 check
  server s2 web2:8080 check
  server s3 web3:8080 check

Key points:

The stats socket line enables HAProxy's runtime API and seamless reloads.

Port 8404 hosts the HAProxy Stats dashboard.

Port 80 forwards requests to the three web servers.

Docker’s built‑in DNS allows using container names (web1, web2, web3) instead of IP addresses.

Run the HAProxy container, mapping ports 80 and 8404:

sudo docker run -d \
  --name haproxy \
  --net mynetwork \
  -v $(pwd):/usr/local/etc/haproxy:ro \
  -p 80:80 \
  -p 8404:8404 \
  haproxytech/haproxy-alpine:2.4

Verify HAProxy is running with docker ps. Access the echo‑server via http://localhost and the HAProxy Stats page via http://localhost:8404.

To reload HAProxy after changing haproxy.cfg without dropping traffic: sudo docker kill -s HUP haproxy To clean up, stop and remove the containers and network:

sudo docker stop web1 && sudo docker rm web1
sudo docker stop web2 && sudo docker rm web2
sudo docker stop web3 && sudo docker rm web3
sudo docker stop haproxy && sudo docker rm haproxy
sudo docker network rm mynetwork

Summary

This article shows how to run HAProxy inside Docker to simplify deployment and lifecycle management. Docker provides a standardized, repeatable deployment method. CPU overhead is negligible, but network latency may increase due to NAT, depending on your throughput requirements. Running HAProxy involves creating a configuration file, launching the HAProxy Docker image, and optionally using host networking for minimal latency.