Proxy Protocol¶
The PROXY protocol provides a means of passing connection information between layers of the proxy infrastructure. Without the PROXY protocol, Traffic Server would only have connection information from the previous hop connecting to Traffic Server and not the actual originating client connection information. This can be done over either HTTP or TLS connections.
Note
The current version only supports transforming client IP from PROXY Version 1 header to the Forwarded: header.
In the current implementation, the client IP address in the PROXY protocol header is passed to the origin server via an HTTP Forwarded: header.
The Proxy Protocol must be enabled on each port. See
proxy.config.http.server_ports
for information on how to enable the
Proxy Protocol on a port. Once enabled, all incoming requests must be prefaced
with the PROXY v1 header. Any request not preface by this header will be
dropped.
As a security measure, an optional whitelist of trusted IP addresses may be
configured with proxy.config.http.proxy_protocol_whitelist
.
Important
If the whitelist is configured, requests will only be accepted from these IP addressses and must be prefaced with the PROXY v1 header.
See proxy.config.http.insert_forwarded
for configuration information.
Detection of the PROXY protocol header is automatic. If the PROXY header
precludes the request, it will automatically be parse and made available to the
Forwarded: request header sent to the origin server.
Example¶
As an example, consider the following topology:
Without the PROXY protocol header, the client IP would only be reported
accurately to the Load Balancer. Traffic Server would only see the connection from the
Load Balancer. Similarly, the Web Server would only see the connection from
Traffic Server. In the example above, if the client initiated a TLS connection, the Web
Server would see the connection originating from Traffic Server at 10.0.0.2
:
Forwarded: for=10.0.0.2;by=10.0.0.1;proto=https;host=test000001.com
If the Load Balancer has the Proxy Protocol enabled, requests sent through the
Load Balancer will be preceded with the PROXY header. Traffic Server will detect the
PROXY header and transform that into the Forwarded: HTTP header if configured to
insert the Forwarded: header with the for
paramter. In the example above,
if the client initiated a TLS connection, the Web Server can use the Forwarded:
header to determine the TLS connection originated from the client at 192.168.1.100
:
Forwarded: for=192.168.2.100;by=10.0.0.2;proto=https;host=test000001.com