PROXY Protocol Support¶
NovaEdge supports the PROXY protocol (v1 and v2) for preserving real client IP addresses when traffic passes through intermediate load balancers or proxies.
Overview¶
When NovaEdge sits behind a layer 4 load balancer (such as AWS NLB, HAProxy, or cloud load balancers), the original client IP is lost because the upstream proxy replaces it with its own IP. The PROXY protocol solves this by prepending a header to the connection that contains the original client information.
NovaEdge supports:
- Receiving PROXY protocol headers from upstream load balancers (listener-side)
- Sending PROXY protocol headers to backend services (upstream-side)
Listener Configuration (Receiving)¶
Kubernetes CRD¶
apiVersion: novaedge.io/v1alpha1
kind: ProxyGateway
metadata:
name: external-gateway
spec:
vipRef: external-vip
listeners:
- name: https
port: 443
protocol: HTTPS
tls:
secretRef:
name: tls-cert
proxyProtocol:
enabled: true
version: 0 # 0 = accept both v1 and v2
trustedCIDRs:
- "10.0.0.0/8" # Only trust PROXY headers from internal IPs
- "172.16.0.0/12"
Standalone Mode¶
listeners:
- name: https
port: 443
protocol: HTTPS
tls:
certFile: /etc/tls/cert.pem
keyFile: /etc/tls/key.pem
proxyProtocol:
enabled: true
version: 0
trustedCIDRs:
- "10.0.0.0/8"
Configuration Options¶
| Field | Type | Default | Description |
|---|---|---|---|
enabled |
bool | false |
Enable PROXY protocol parsing |
version |
int | 0 |
Protocol version: 0 (both), 1 (v1 only), 2 (v2 only) |
trustedCIDRs |
[]string | [] (all) |
Source CIDRs from which PROXY headers are accepted |
Security: Trusted CIDRs¶
Always configure trustedCIDRs in production. Without it, any client can send a PROXY protocol header to spoof their IP address. Only trust the IP addresses of your upstream load balancers.
Backend Configuration (Sending)¶
To forward real client IPs to backends that support PROXY protocol:
Kubernetes CRD¶
apiVersion: novaedge.io/v1alpha1
kind: ProxyBackend
metadata:
name: backend-with-proxy
spec:
serviceRef:
name: my-service
port: 8080
upstreamProxyProtocol:
enabled: true
version: 1 # Send v1 headers to backends
Standalone Mode¶
backends:
- name: backend-with-proxy
endpoints:
- address: "10.0.1.1:8080"
upstreamProxyProtocol:
enabled: true
version: 1
Protocol Versions¶
PROXY Protocol v1 (Text)¶
Human-readable text format. Example:
Pros: Simple, easy to debug Cons: Slightly larger header, IPv6 addresses are longer
PROXY Protocol v2 (Binary)¶
Binary format with a 12-byte signature. More compact and extensible.
Pros: Compact, supports TLV extensions Cons: Not human-readable
Recommendation¶
- Use v1 for compatibility with most backends
- Use v2 when connecting to modern proxies/backends that support it
- Use version: 0 on listeners to accept both formats