The Proxy Protocol was designed to chain proxies / reverse-proxies without losing the client information.
A proxy will use its own IP stack to get connected on remote servers. Because of this, we lose the initial TCP connection information like source and destination IP and port when a proxy in involved in an architecture.
That said, a few workarounds exist, like:
- Tproxy: require you to compile your kernel and to make your proxy as your server’s default gateway, can pass through nat-ting firewalls
- HTTP X-Forwarded-For header: works only for HTTP and require modules in Apache and IIS
The problem of these workarounds is that they are either protocol related or require architecture changes, preventing scalability.
That’s where the proxy-protocol comes in:
- it is protocol agnostic (can work with any layer 7 protocols, even when encrypted).
- it does not require any infrastructure changes
- nat-ing firewalls have no impact it
- it is scalable
The is only one condition: both endpoints of the connection MUST be compatible with proxy protocol. This could be either proxies, reverse-proxies, load-balancers, WAF, application servers, etc….
Proxy protocol documentation
The description of the protocol by Willy, HAProxy developer: proxy protocol.
And a few articles speaking about the subject:
- Efficient SMTP relay infrastructure with Postfix and load-balancers
- Preserve source IP address despite reverse proxies
Proxy-protocol ready softwares
The list below summarizes which software have already implemented the proxy protocol:
- Elastic Load Balancing, since July 2013, AWS’ Load-Balancer
- exaproxy, since 1.0.0, forward and reverse proxy
- exim, since 4.83, client side only, SMTP MTA
- gunicorn, since 0.15.0, python HTTP server
- haproxy, since 1.5-dev3, reverse-proxy load-balancer
- nginx, since 1.5.12 in HTTP server client side only, Web server, HTTP + Mail reverve-proxy
- postfix, since 2.10, SMTP MTA
- stud, since the first release, SSL offloader
- stunnel, since 4.45, SSL offloader
- apache HTTPD, web server, use the module myfixip, for both apache 2.2 and 2.4
Proxy-protocol ready appliances
Not yet proxy-protocol ready
But it would be good they do it: