diff --git a/ansible.hosts.ha.vip.tpl b/ansible.hosts.ha.vip.tpl
index 7b3cd66..f962d71 100644
--- a/ansible.hosts.ha.vip.tpl
+++ b/ansible.hosts.ha.vip.tpl
@@ -54,6 +54,10 @@ keepalived_image="{{registry_repo}}/osixia/keepalived:2.0.17"
 keepalived_router_id=250
 keepalived_auth_pass=solarfs{{keepalived_router_id}}
 
+# open haproxy ingress tcp proxy
+ingress_nodeport_http=32080
+ingress_nodeport_https=32443
+
 # helm
 helm_binary_md5=e4500993ba21e5e6bdfbc084b4342025
 helm_binary_url=https://pnode.solarfs.io/dn/file/{{helm_binary_md5}}/helm-v3.6.0-linux-amd64.tar.gz
diff --git a/roles/ha-loadbalance/templates/haproxy.cfg.j2 b/roles/ha-loadbalance/templates/haproxy.cfg.j2
index 84d94d7..9e26cb1 100644
--- a/roles/ha-loadbalance/templates/haproxy.cfg.j2
+++ b/roles/ha-loadbalance/templates/haproxy.cfg.j2
@@ -47,5 +47,35 @@ backend apiserver
     option ssl-hello-chk
     balance     roundrobin
 {% for host in groups['masters'] %}
-        server {{ hostvars[host].inventory_hostname}} {{ hostvars[host].ansible_host }}:{{api_server_src_port}} check
+    server {{ hostvars[host].inventory_hostname}} {{ hostvars[host].ansible_host }}:{{api_server_src_port}} check
 {% endfor %}
+
+{% if ingress_nodeport_http is defined %}
+frontend ingress-nginx-http
+    bind *:80
+    mode tcp
+    option tcplog
+    default_backend ingress-nginx-http
+
+backend ingress-nginx-http
+    mode tcp
+    balance     roundrobin
+{% for host in groups['masters'] %}
+    server {{ hostvars[host].inventory_hostname}} {{ hostvars[host].ansible_host }}:{{ingress_nodeport_http}} check
+{% endfor %}
+{% endif %}
+
+{% if ingress_nodeport_https is defined %}
+frontend ingress-nginx-https
+    bind *:443
+    mode tcp
+    option tcplog
+    default_backend ingress-nginx-https
+
+backend ingress-nginx-https
+    mode tcp
+    balance     roundrobin
+{% for host in groups['masters'] %}
+    server {{ hostvars[host].inventory_hostname}} {{ hostvars[host].ansible_host }}:{{ingress_nodeport_https}} check
+{% endfor %}
+{% endif %}