Send PROXY protocol header from HAProxy

Question

I've probably got lost in the masses of documentation on this subject, but I'm trying to configure my HAProxy process to send the PROXY protocol header as described at http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt. This is because I am having to write support for the PROXY protocol into a C++ server (in order for it to have access to the client IP/port) and I want to test my code is working properly with the parsing of the PROXY header.

Here is my minimal config file:

global
   maxconn 4096

defaults
   log   global
   mode   http
   retries   3
   option redispatch
   maxconn   2000
   timeout connect 5000
   timeout client  50000
   timeout server  50000

frontend TestServerTest
    bind 10.6.186.24:54781
    mode tcp
    default_backend TestServernodes

backend TestServernodes
    mode tcp
    # Note there is no 'check' after the below line unlike the others as we don't want to send the
    # healthcheck ("OPTIONS / HTTP/1.0"...) string to the TestServer as it doesn't understand it!
    server TestServer01 10.6.186.24:48080

What I am finding is that when I start HAProxy and connect to 54781, the first data that TestServer at 48080 receives is the data which is sent from my client; it is not the PROXY header described at the link I posted.

Can someone please tell me what I am missing in my configuration that is preventing the PROXY header being sent to my backend server?

score 9 · Accepted Answer · edited Mar 27 '17 at 09:35

After posting on the HAProxy mailing list (haproxy@formilux.org) I got the answer that I need to add either send-proxy or send-proxy-v2 to my backend server definitions.

My updated config file has the line:

server TestServer01 10.6.186.24:48080 send-proxy

...which sends version 1 of the PROXY protocol.

To send version 2, change this to

server TestServer01 10.6.186.24:48080 send-proxy-v2

score 2 · Answer 2 · answered Mar 27 '17 at 06:20

Per the document you linked to, the full config requires a couple of components to be configured.

If you have an haproxy instance in front of your real backends, you may need to apply accept-proxy:

the listening sockets accept the protocol when the "accept-proxy" setting is passed to the "bind" keyword. Connections accepted on such listeners will behave just as if the source really was the one advertised in the protocol. This is true for logging, ACLs, content filtering, transparent proxying, etc...

This is the part you figured out in your answer, backend servers need to be configured with send-proxy:

the protocol may be used to connect to servers if the "send-proxy" setting is present on the "server" line. It is enabled on a per-server basis, so it is possible to have it enabled for remote servers only and still have local ones behave differently. If the incoming connection was accepted with the "accept-proxy", then the relayed information is the one advertised in this connection's PROXY line.

And this is as much as I could find on v2:

Haproxy 1.5 also implements version 2 of the PROXY protocol as a sender. In addition, a TLV with limited, optional, SSL information has been added.

Send PROXY protocol header from HAProxy

2 Answers2

Linked