Documentation edits made through Mintlify web editor

2026-02-09 06:26:46 +00:00 · 2025-10-10 17:14:39 -04:00
parent 3e72c65afb
commit 94e991525b
1 changed files with 154 additions and 0 deletions
--- a/self-host/advanced/proxyprotocol.mdx
+++ b/self-host/advanced/proxyprotocol.mdx
@@ -0,0 +1,154 @@
+---
+title: "New file"
+description: "Description of your new file."
+---
+
+# Proxy Protocol (Advanced)
+
+In Pangolin, make a TCP resource or UDP resource.  
+
+> **Note:** Not all applications support Proxy Protocol. If you send Proxy Protocol headers to an application that isn't configured for it or doesn't support it, the connection will fail entirely.
+
+---
+
+## Creating the Resource
+
+In Pangolin, go into **Resources** and create a TCP or UDP route like you normally would — pointing it to your resource which accepts Proxy Protocol.
+
+Say I'm using `tcp-8888` with Pangolin.  
+
+I configure it to hit my Proxy Protocol–enabled service such as Minecraft Paper or Velocity.
+
+It'll give you a **port** to put into the compose file and an **entryPoint** to add into the `traefik_config.yml`.  
+
+Only do the second, not the first.
+
+---
+
+## Add the EntryPoint
+
+Add an entrypoint in `traefik_config.yml` for the port you intend to use.
+
+```yaml
+entryPoints:
+  tcp-22000: 
+    address: ":22000/tcp"
+```
+
+I'm going to use `tcp-22000` for this, and in Traefik under **Gerbil**, I'm going to add the same mapping:
+
+```yaml
+  gerbil:
+    image: fosrl/gerbil
+    container_name: gerbil
+    restart: unless-stopped
+    ports:
+     - 51820:51820/udp
+     - 21820:21820/udp
+     - 443:443/tcp
+     - 80:80/tcp
+     - 22000:22000/tcp
+```
+
+---
+
+## Find the Service Address
+
+Run the following command:
+
+```bash
+docker exec pangolin curl http://localhost:3001/api/v1/traefik-config | jq
+```
+
+Look for the entry that resembles:
+
+```json
+  "tcp": {
+    "routers": {
+      "43-router": {
+        "entryPoints": [
+          "tcp-8888"
+        ],
+        "service": "43-service",
+        "rule": "HostSNI(`*`)"
+```
+
+Follow this down further until you reach the service line — `43-service` in this example:
+
+```json
+    "services": {
+      "43-service": {
+        "loadBalancer": {
+          "servers": [
+            {
+              "address": "100.89.128.4:58655"
+            }
+          ]
+        }
+      },
+```
+
+Make a note of the address there.
+
+---
+
+## Update Dynamic Configuration
+
+Go into `config/traefik_dynamic.yml` and add:
+
+### TCP Example
+
+```yaml
+tcp:
+  routers:
+    minecraft-rtr:
+      rule: "HostSNI(`*`)"
+      entryPoints:
+        - "tcp-22000"
+      service: minecraft-svc
+  services:
+    minecraft-svc:
+      loadBalancer:
+        serversTransport: proxy-protocol-v1 # Can be named anything really as long as it matches the defined transport.
+        servers:
+          - address: "100.89.128.4:58655"
+  serversTransports:
+    proxy-protocol-v1:
+      proxyProtocol:
+        version: 1
+```
+
+### UDP Example
+
+```yaml
+tcp:
+  routers:
+    servicename-rtr:
+      entryPoints:
+        - "udp-22000"
+      service: servicename-svc
+  services:
+    servicename-svc:
+      loadBalancer:
+        serversTransport: proxyprotocol-udp
+        servers:
+          - address: "100.89.128.4:58655"
+  serversTransports:
+    proxyprotocol-udp:
+      proxyProtocol:
+        version: 1
+```
+
+---
+
+## Downstream Applications
+
+For downstream applications, you'll need to configure them to trust Proxy Protocol connections originating from the system where **Newt** connects to the service.
+
+For example:  
+
+If the Newt is running on **Host B** at `192.168.1.5`,  
+
+your service on **Host A** at `192.168.1.4` needs to trust `192.168.1.5` as a trusted Proxy Protocol source.
+
+Once Proxy Protocol is in play, the connection between Traefik and the backend **must** speak Proxy Protocol — otherwise it will refuse to connect.