Nginx can be configured to support the HAProxy proxy protocol for inbound traffic: http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_protocol
However, using proxy_protocol on;, nginx cannot handle HTTP(S) traffic without the PROXY line.
The traefik reverse proxy, on the other hand, is able to treat the PROXY line as optional:
If Proxy Protocol header parsing is enabled for the entry point, this entry point can accept connections with or without Proxy Protocol headers.
https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol
Is it possible to configure nginx to treat the PROXY line as optional?
My use case is nginx as a kubernetes ingress to handle proxy protocol traffic from outside via a load balancer and without the proxy protocol for cluster-internal HTTP(S) traffic.
I know there is hairpin-proxy that works, but it’s a bit hacky as it adds rewrites for all CoreDNS cluster-internal DNS entries.
https://github.com/compumike/hairpin-proxy#:~:text=Modify%20nginx%20to%20treat%20the%20PROXY%20line%20as%20optional
The K8s Cloud Setup used in this scenario:
- Rancher Kubernetes Engine (RKE)
- Hetzner Cloud VMs for k8s Nodes
- Hetzner Load Balancer as K8s Load Balancer
- hcloud-cloud-controller-manager for provisioning Hetzner Cloud servers (https://github.com/hetznercloud/hcloud-cloud-controller-manager)
- ingress-nginx as k8s ingress (https://kubernetes.github.io/ingress-nginx/)
- Worklaod deployments using helm3
2
Answers
No.
You can use a listener with proxy protocol and one without but it’s currently not possible to use both in one listener.
Proxy protocol specification forbids this kind of mixing of proxy and non-proxy connections. The reason is that it would allow easy spoofing of ip addresses and other data.
Quote from the specification: