In this week’s episode of Two-Minute Tech Tuesday, we'll talk about the PROXY protocol. The PROXY protocol transports client connection information across multiple proxy servers. It's used by Varnish to facilitate TLS termination. It's not a replacement for HTTP, in fact it operates on a different layer of the network stack, and comes as a preamble that is prepended to request data.
If you terminate TLS in Varnish by adding a TLS proxy, the PROXY protocol will ensure that Varnish knows that the real client is identified by IP address 10.10.10.1, and not Varnish's client, which is the TLS proxy identified by 10.10.10.2.
The PROXY header also contains port and protocol information. This ensures that Varnish knows that on top of the session information that sees the TLS proxy as its direct client connecting on port 8443, the real client information and the real server information of the original connection is also available.
This means 10.10.10.1 is the client and 10.10.10.2 is the server. The connection is made over port 443, which is the conventional HTTPS port. This is also reflected internally by setting the client.ip and server.ip vcl variables to the according values and making the original client IP address the value for the X-Forwarded-For header that Varnish sets.
Two Versions of the PROXY Protocol
Version 1 is a clear text protocol that adds:
- The header containing the protocol information
- The source and destination IP address
- The source and destination port
PROXY TCP4 10.10.10.1 10.10.10.2 58076 443
GET / HTTP/1.1
Host: example.com
Version 2 is in a binary format, meaning it:
- Contains more data because it is compact
- Supports TCP, UDP and UNIX domain sockets
- Contains TLV attributes which contain information about potential TLS connections
To enable PROXY protocol support in Varnish, add an extra listening address on top of the regular HTTP listening address, specify a port, and use the PROXY keyword to enable PROXY v1 and v2 support on that listening address.
For local connections that don't require TCP/IP, UNIX domain sockets are supported. To do this, specify the path of the socket, use the "PROXY" keyword, and then specify some filesystem-related parameters.
We recommend you use the PROXY protocol in conjunction with Varnish as Varnish leverages it for TLS termination. If you're planning to terminate TLS, we would advise you to use Hitch, which is our TLS proxy, and connect it to Varnish over the PROXY protocol. Keep an eye out for next week's edition of Two-Minute Tech Tuesday, where we will cover Hitch.