The PROXY protocol provides a means of passing connection information between layers of the proxy infrastructure. Without the PROXY protocol, Traffic Server would only have connection information from the previous hop connecting to Traffic Server and not the actual originating client connection information. This can be done over either HTTP or TLS connections.
The current implementation doesn’t support TLV fields of Version 2.
The Proxy Protocol must be enabled on each port for which connections with the
Proxy Protocol header are expected. See
proxy.config.http.server_ports for information on how to enable the
Proxy Protocol on a port. Once enabled, incoming requests may be prefaced with
either the PROXY v1 or v2 header. Any request not prefaced by this header will
be handled according to the other directives in the associated port
As a security measure, an optional list of trusted IP addresses may be
If the allowlist is configured, requests will only be accepted from these IP addresses for all ports designated for Proxy Protocol in the
proxy.config.http.server_portsconfiguration, regardless of whether the connections have the Proxy Protocol header.
HTTP Forwarded Header
The client IP address in the PROXY protocol header is passed to the origin server via an HTTP Forwarded: header. See
proxy.config.http.insert_forwarded for configuration information.
Detection of the PROXY protocol header is automatic. If the PROXY header
precludes the request, it will automatically be parse and made available to the
Forwarded: request header sent to the origin server.
Outbound PROXY protocol
proxy.config.http.proxy_protocol_out for configuration information.
As an example, consider the following topology:
Without the PROXY protocol header, the client IP would only be reported
accurately to the Load Balancer. Traffic Server would only see the connection from the
Load Balancer. Similarly, the Web Server would only see the connection from
Traffic Server. In the example above, if the client initiated a TLS connection, the Web
Server would see the connection originating from Traffic Server at
If the Load Balancer has the Proxy Protocol enabled, requests sent through the
Load Balancer will be preceded with the PROXY header. Traffic Server will detect the
PROXY header and transform that into the Forwarded: HTTP header if configured to
insert the Forwarded: header with the
for parameter. In the example above,
if the client initiated a TLS connection, the Web Server can use the Forwarded:
header to determine the TLS connection originated from the client at