How to use the proxy protocol

What is the Proxy Protocol?

The proxy protocol is an industry standard to pass client connection information through a load balancer on to the destination server. Activating the proxy protocol allows you to see the original client ip address in your application logs.

Configuring nginx to use the proxy protocol

There are multiple webservers and ways of configuring the proxy protocol. We also provide a tutorial on how to do this with the nginx ingress controller here Setup and nginx ingress controller with the proxy protocol. This tutorial will show you how to configure the proxy protocol with nginx. For further information please refer to Accepting the proxy protocol. In general nginx will require an http or a stream block to activate the proxy protocol. This block can only be set once. So it often makes sense to configure your domain (vhost) via the main nginx config. Because the http block is normally set there. This is a minimal example on how to accomplish this

http {
    server {
        listen 8080 proxy_protocol;

        root /usr/share/nginx/html;
        try_files /index.html =404;

        proxy_set_header X-Real-IP              $remote_addr;

        # Pass the original X-Forwarded-For
        proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;

        # mitigate HTTPoxy Vulnerability
        # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
        proxy_set_header Proxy                  "";
        }
}

Configuring other webservers

It is also possible to configure other webserver to use the proxy protocol

If you would like to use the apache webserver you may use the apache module remoteip. Instructions on how to configure the remote ip module can be found here:

apache module remote ip

Configuring you kubernetes service endpoint for the proxy protocol

The openstack load balancer octavia can be configured via kubernetes annotations. To configure a service endpoint to use the proxy protocol you may use the following yaml

apiVersion: v1
kind: Service
metadata:
  annotations
:
    loadbalancer.openstack.org/proxy-protocol: "true"
  name: webapp-svc
  labels:
    app: webapp-svc
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: webapp
  type: LoadBalancer

Further information

Exposing applications using services of LoadBalancer type