Proxy Protocol

Introduction

The Proxy Protocol was designed to chain proxies / reverse-proxies without losing the client information.
A proxy will use its own IP stack to get connected on remote servers. Because of this, we lose the initial TCP connection information like source and destination IP and port when a proxy in involved in an architecture.
That said, a few workarounds exist, like:

  • Tproxy: require you to compile your kernel and to make your proxy as your server’s default gateway, can pass through nat-ting firewalls
  • HTTP X-Forwarded-For header: works only for HTTP and require modules in Apache and IIS

The problem of these workarounds is that they are either protocol related or require architecture changes, preventing scalability.
That’s where the proxy-protocol comes in:

  • it is protocol agnostic (can work with any layer 7 protocols, even when encrypted).
  • it does not require any infrastructure changes
  • nat-ing firewalls have no impact it
  • it is scalable

The is only one condition: both endpoints of the connection MUST be compatible with proxy protocol. This could be either proxies, reverse-proxies, load-balancers, WAF, application servers, etc….

Proxy protocol documentation


The description of the protocol by Willy, HAProxy developer: proxy protocol.

And a few articles speaking about the subject:

Proxy-protocol ready softwares

The list below summarizes which software have already implemented the proxy protocol:

  • Elastic Load Balancing, since July 2013, AWS’ Load-Balancer
  • exaproxy, since 1.0.0, forward and reverse proxy
  • exim, since 4.83, client side only, SMTP MTA
  • gunicorn, since 0.15.0, python HTTP server
  • haproxy, since 1.5-dev3, reverse-proxy load-balancer
  • nginx, since 1.5.12 in HTTP server client side only, Web server, HTTP + Mail reverve-proxy
  • postfix, since 2.10, SMTP MTA
  • stud, since the first release, SSL offloader
  • stunnel, since 4.45, SSL offloader
  • apache HTTPD, web server, use the module myfixip, for both apache 2.2 and 2.4

Proxy-protocol ready appliances

Not yet proxy-protocol ready

But it would be good they do it:

  • apache ATS, HTTP proxy and reverse-proxy cache
  • squid, HTTP proxy and reverse-proxy cache
  • varnish, HTTP reverse-proxy cache
  • MySQL, Database server
Advertisements

7 Responses to Proxy Protocol

  1. wtarreau says:

    And now Amazon EC2 uses it in ELB, which simply means that you can get an extremely scalable full-featured load balancer by combining ELB in TCP mode and haproxy doing the L7 stuff on each instance. More info here : http://aws.typepad.com/aws/2013/07/elastic-load-balancing-adds-support-for-proxy-protocol.html

  2. Nate says:

    Do you have any information as to why the nginx patch (http://www.bedis.eu/nginx/nginx_proxy_protocol_patch) “needs work”? (see http://trac.nginx.org/nginx/ticket/355). I’d be happy to help out if needed. Thanks.

    • Hi Nate,

      I had a talk with Maxim about it.
      There are some minor changes to do, perform as well some cosmetic review.
      But since I’m not an nginx dev, I did not do it in the best way and Maxim thinks it would be better to rewrite it from scratch.

      That said, the wiki you pointed to uses this patch for 2 months without a crash.

      Baptiste

      • Nate says:

        Hi Baptiste,

        Thanks for getting back to me. I’m going to give your patch a try right now. I would like to try and see what I can do to get this committed to the nginx core. Is there any way you could put me into touch with Maxim so I can determine exactly what he’s looking for?

        Thanks again,
        Nate

  3. Taavi says:

    And finally Nginx 1.5.12 supports proxy protocol 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s