Proxy Protocol

Introduction #

The Proxy Protocol was designed to chain proxies / reverse-proxies without losing the client information.

A proxy will use its own IP stack to get connected to remote servers. Because of this, we lose the initial TCP connection information like source and destination IP and port when a proxy is involved in architecture.

That said, a few workarounds exist, like:

  • Tproxy: require you to compile your kernel and to make your proxy as your server’s default gateway, can pass through nat-ting firewalls
  • HTTP X-Forwarded-For header: works only for HTTP and require modules in Apache and IIS

The problem with these workarounds is that they are either protocol-related or require architecture changes, preventing scalability.

That’s where the proxy protocol comes in:

  • it is protocol-agnostic (can work with any layer 7 protocols, even when encrypted).
  • it does not require any infrastructure changes
  • nat-ing firewalls have no impact it
  • it is scalable

The is only one condition: both endpoints of the connection MUST be compatible with the proxy protocol. This could be either proxy, reverse-proxies, load-balancers, WAF, application servers, etc….

Proxy protocol documentation #

The description of the protocol by Willy, HAProxy developer: proxy protocol.

And a few articles speaking about the subject:

Proxy-protocol ready software #

The list below summarizes which software have already implemented the proxy protocol:

  • Elastic Load Balancing, since July 2013, AWS’ Load-Balancer
  • Dovecot, since 2.2.19, a POP/IMAP mail server
  • exaproxy, since 1.0.0, forward and reverse proxy
  • exim, since 4.83, client side only, SMTP MTA
  • FreeRADIUS, since 3.0.24
  • gunicorn, since 0.15.0, python HTTP server
  • haproxy, since 1.5-dev3, reverse-proxy load-balancer
  • hitch since the first release, SSL offloader, fork of stud.
  • nginx, since 1.5.12 in HTTP server client side only, Web server, HTTP + Mail reverve-proxy
  • Percona DB Server, since 5.6.25-73.0, DataBase server
  • postfix, since 2.10, SMTP MTA
  • stud, since the first release, SSL offloader.
  • stunnel, since 4.45, SSL offloader
  • apache HTTPD, web server, use the module myfixip, for both apache 2.2 and 2.4
  • varnish, HTTP reverse-proxy cache, since version 4.1

Proxy-protocol ready appliances #

Not yet proxy-protocol ready #

But it would be good they do it:

  • apache ATS, HTTP proxy and reverse-proxy cache
  • squid, HTTP proxy and reverse-proxy cache
  • MySQL, Database server

Leave a Reply

Your email address will not be published. Required fields are marked *