Skip to content

Add support for proxyprotocol for DoT #473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
peterverraedt wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add support for proxyprotocol for DoT #473

peterverraedt wants to merge 1 commit into from

Conversation

@peterverraedt
Copy link

@peterverraedt peterverraedt commented Nov 16, 2025

Support the proxy protocol in TCP and TLS listeners, to allow Adguard to be placed behind a load balancer/proxy such as nginx or traefik. If the connection is made from one of the trusted proxies ip addresses, it is allowed - but not required - that TCP and TLS connections contain a proxy protocol header to pass source connection information. If a connection is made from other ip addresses, no proxy protocol header is allowed.

We don't allow proxy protocol in the HTTPS or QUIC listeners as there the source ip information can be passed by HTTP headers instead.

This fixes AdguardTeam/AdGuardHome#2798.

windsurf-bot[bot]
windsurf-bot bot reviewed Nov 16, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

@peterverraedt
Copy link
Author

peterverraedt commented Nov 16, 2025

/windsurf-review

windsurf-bot[bot]
windsurf-bot bot reviewed Nov 16, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

@peterverraedt
Integrate proxyproto for TCP and TLS listeners
8f35270 
If the connection is made from one of the trusted proxies ip addresses,
it is allowed that TCP and TLS connections contain a proxyprotocol
header to pass source connection information. This in particular allows
dns over tls behind a load balancer, while keeping source ip address
information.

Signed-off-by: Peter Verraedt <peter@verraedt.be>
@peterverraedt
Copy link
Author

peterverraedt commented Nov 22, 2025

/windsurf-review

windsurf-bot[bot]
windsurf-bot bot reviewed Nov 22, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 🤙

💡 To request another review, post a new comment with "/windsurf-review".

@xduugu
Copy link

xduugu commented Dec 3, 2025

Thanks a lot for your work on this, @peterverraedt.

Have you happened to look at the UDP support as well, and can you estimate how difficult it would be to implement? As far as I know, pires/go-proxyproto already supports proxy protocol v2 for UDP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@windsurf-bot windsurf-bot[bot] windsurf-bot[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support PROXY Protocol

2 participants

@peterverraedt @xduugu