Send PROXY protocol header from HAProxy

Solution 1:

After posting on the HAProxy mailing list ([email protected]) I got the answer that I need to add either send-proxy or send-proxy-v2 to my backend server definitions.

My updated config file has the line:

server TestServer01 10.6.186.24:48080 send-proxy

...which sends version 1 of the PROXY protocol.

To send version 2, change this to

server TestServer01 10.6.186.24:48080 send-proxy-v2

Solution 2:

Per the document you linked to, the full config requires a couple of components to be configured.

If you have an haproxy instance in front of your real backends, you may need to apply accept-proxy:

the listening sockets accept the protocol when the "accept-proxy" setting is passed to the "bind" keyword. Connections accepted on such listeners will behave just as if the source really was the one advertised in the protocol. This is true for logging, ACLs, content filtering, transparent proxying, etc...

This is the part you figured out in your answer, backend servers need to be configured with send-proxy:

the protocol may be used to connect to servers if the "send-proxy" setting is present on the "server" line. It is enabled on a per-server basis, so it is possible to have it enabled for remote servers only and still have local ones behave differently. If the incoming connection was accepted with the "accept-proxy", then the relayed information is the one advertised in this connection's PROXY line.

And this is as much as I could find on v2:

Haproxy 1.5 also implements version 2 of the PROXY protocol as a sender. In addition, a TLV with limited, optional, SSL information has been added.