When you use a proxy, the proxy re-encapsulates incoming requests and then forwards the requests to the server. In this scenario, the server cannot obtain the original connection information, such as the client IP address and port. To address this issue, the PROXY protocol is designed to preserve such essential details by transmitting them at the beginning of each connection. This enables accurate traffic management, enhances security, and ensures compliance with regulatory requirements.
Protocol description
The PROXY protocol has no requirements on the system kernel. You need to modify your application to preserve the IP address of a client by parsing the string. NGINX and HAProxy support the PROXY protocol.
To preserve the IP address of a client by using the PROXY protocol, you need to select the PROXY protocol in the Edge Security Acceleration (ESA) console. This way, points of presence (POPs) prepend each inbound TCP connection with the PROXY protocol header. POPs deliver the PROXY protocol header before delivering the actual payload of the first packet.
Differences between PROXY protocol v1 and PROXY protocol v2
Version | PROXY protocol v1 | PROXY protocol v2 |
Format | ASCII | Binary |
Supported protocol | TCP | TCP |
Security | No encryption or authentication mechanism, making data vulnerable to tampering. | TLS handshakes for enhanced security. |
Flexibility | Fixed format with limited flexibility. | High flexibility with variable length and support for various extension information. |
Scenario | Suitable for simple environments where security is not a primary concern. | Suitable for security-sensitive environments. |
Enable PROXY protocol v1 for TCP
After TCP applications are configured to use PROXY protocol v1, ESA prepends the PROXY protocol v1 header to each inbound TCP connection. To enable PROXY protocol v1, perform the following steps:
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation pane, choose .
You can click Create Application and set the Layer 4 application parameters. From the drop-down list, choose PROXY Protocol v1.
Click OK.
PROXY protocol v1 header
The PROXY protocol prepends each connection with a plain text header to report the client IP address and port. The header is in the following format:
PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"Here's an example of a PROXY protocol v1 header for an IPv4 address:
PROXY TCP4 10.10.10.10 192.168.0.1 12345 80\r\n
Here's an example of a PROXY protocol v1 header for an IPv6 address:
PROXY TCP6 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 12345 443\r\nEnable PROXY protocol v2 for TCP
After TCP applications are configured to use PROXY protocol v2, ESA prepends the PROXY protocol v2 header to each inbound TCP connection. To enable PROXY protocol v2, perform the following steps:
Log on to the ESA console.
In the left-side navigation pane, click Websites.
On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.
In the left-side navigation pane, choose .
You can click Create Application and set the Layer 4 application parameters. Choose TCP as the protocol, and from the client IP transmission drop-down list, select PROXY Protocol v2.
Click OK.
PROXY protocol v2 header
The PROXY protocol prepends each connection with a header to report the client IP address and port.
Format of the PROXY protocol binary header for an IPv4 address:
Format of the PROXY protocol binary header for an IPv6 address:
