Proxy Protocol and SSL

Question

I have the following configuration:

HAProxy -> NGinx -> Backend

(HAProxy is used for load balancing, NGinx for SSL termination) The configuration can not be changed

I'm trying to pass the source IP to the backend using the proxy protocol. Working without SSL it all works fine. Adding SSL to the equation I either fail on the SSL handshake or that I don't see a way to make NGinx pass the proxy protocol to the backend.

Sample configuration 1:

proxy protocol is passed well on the non ssl connection but for the ssl connection the ssl handshake breaks

HAProxy:

listen HTTP-TCP_8090
    bind :8090

    server nginx nginx:8090 send-proxy

listen HTTPS-TCP_8092
    bind :8092

    server nginx nginx:8092 send-proxy

NGinx:

stream {
    upstream some_backend {
         server some_host:8090;
    }

    server {
        listen                8090;
        listen                8092 ssl;
        proxy_pass            some_backend;
        proxy_protocol        on;

        ssl_certificate       /etc/ssl/server.crt;
        ssl_certificate_key   /etc/ssl/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSLTCP:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    }
}

Sample configuration 2:

both connections, ssl and not, work well but the proxy protocol header is not passed to the backend on both cases

HAProxy:

listen HTTP-TCP_8090
    bind :8090

    server nginx nginx:8090 send-proxy

listen HTTPS-TCP_8092
    bind :8092

    server nginx nginx:8092 send-proxy

NGinx:

stream {
    upstream some_backend {
         server some_host:8090;
    }

    server {
        listen                8090 proxy_protocol;
        listen                8092 proxy_protocol ssl;
        proxy_pass            some_backend;

        ssl_certificate       /etc/ssl/server.crt;
        ssl_certificate_key   /etc/ssl/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSLTCP:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    }
}

Any idea how do I create a configuration that it both aware to the proxy protocol on an SSL connection and also passed the header to the backend?

Answer 1

Well, it seems that NGinx documentation isn't very good...

https://www.nginx.com/resources/admin-guide/proxy-protocol/

if you want nginx to accept the proxy protocol you need add the proxy_protocol parameter on the listen directive

listen 8090 proxy_protocol;

if you want nginx to send the proxy protocol you need to add the proxy_protocol directive within the server section

proxy_protocol on;

if you want nginx to accept the proxy protocol and pass the accepted header at its other end you need to add both! Sounds logical, right? Right. But it's not documented well. One can easily understand that when dealing with traffic which is not http simply setting the proxy_protocol directive within the server section enables it on both ends of the connection. So finally this is a configuration that works:

stream {
    upstream some_backend {
         server some_host:8090;
    }

    server {
        listen                8090 proxy_protocol;
        listen                8092 proxy_protocol ssl;
        proxy_pass            some_backend;
        proxy_protocol        on;

        ssl_certificate       /etc/ssl/server.crt;
        ssl_certificate_key   /etc/ssl/server.key;
        ssl_protocols         SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSLTCP:20m;
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    }
}