In this blog post, you’ll learn how the Proxy Protocol preserves a client’s IP address when that client’s connection passes through a proxy. You will also find resources for how to integrate the protocol into your own proxy or web server software.
What is the Proxy Protocol? It is a network protocol for preserving a client’s IP address when the client’s TCP connection passes through a proxy. Without such a mechanism, proxies lose this information because they act as a surrogate for the client, relaying messages to the server, but replacing the client’s IP address with their own. This distorts the logs of upstream servers because the logs incorrectly indicate that all traffic originated at the proxy.
Some higher-level protocols, such as HTTP, have a solution for this. With HTTP, a proxy can add a Forwarded HTTP header, or the non-standard X-Forwarded-For header, to store the client’s original IP address so that the server can retrieve it, but other protocols lack a similar fix. The Proxy Protocol, which operates beneath at the TCP layer, fills this gap, expanding coverage to any upper layer protocol—SMTP, IMAP, FTP, the Minecraft protocol, proprietary database protocols, etc.—that transmits messages over TCP/IP. The caveat is that both the proxy and the server on the receiving end must support it.
The Proxy Protocol works by adding a header that contains the client’s IP address to the beginning of a TCP connection.
Proxy Protocol support
The following software, services and devices are known to support the Proxy Protocol:
- Apache HTTP Server
- Apache Traffic Server
- AWS Network Load Balancer
- Citrix ADC
- DigitalOcean Load Balancer
- Envoy Proxy
- Google Cloud Load Balancing
- HAProxy ALOHA
- HAProxy Enterprise
- HashiCorp Vault
- IBM Application Gateway
- NGINX Plus
- SAP Web Dispatcher
If you’re a developer looking for information on how to implement the Proxy Protocol, check the link below:
The Proxy Protocol preserves a client’s IP address when it passes through a proxy, which maintains the correct information in server logs. Be sure to choose proxy and server solutions that support it, since it must be enabled on both the sender and receiver.