Proxy Protocol

Because Cloudflare intercepts packets before forwarding them to your server, if you were to look up the client IP, you would see Cloudflare’s IP rather than the true client IP.

Some services you run may require knowledge of the true client IP. In those cases, you can use Proxy Protocol for Cloudflare to pass on the client IP to your service. Spectrum supports adding Proxy Protocol v1, which is the human readable version supported by Amazon ELB and NGINX.

To enable Proxy Protocol for a TCP application on Cloudflare, go to the Spectrum tab in the Cloudflare dashboard, click configure next to the application you would like to add Proxy Protocol to, and toggle the setting for Proxy Protocol to ‘on’. When set to ‘on’, Cloudflare will prepend each inbound TCP connection with the Proxy Protocol header (see below).

The Proxy Protocol Header

Proxy Protocol prepends every connection with a header reporting the client IP address and port. A Proxy Protocol header has the format:

PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"

An example Proxy Protocol line for an IPv4 address would look like:

PROXY TCP4 192.0.2.0 192.0.2.255 42300 443\r\n

An example Proxy Protocol line for an IPv6 address would look like:

PROXY TCP6 2001:db8:: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 42300 443\r\n