diff --git a/self-host/advanced/proxyprotocol.mdx b/self-host/advanced/proxyprotocol.mdx new file mode 100644 index 0000000..ddb0a13 --- /dev/null +++ b/self-host/advanced/proxyprotocol.mdx @@ -0,0 +1,154 @@ +--- +title: "New file" +description: "Description of your new file." +--- + +# Proxy Protocol (Advanced) + +In Pangolin, make a TCP resource or UDP resource. + +> **Note:** Not all applications support Proxy Protocol. If you send Proxy Protocol headers to an application that isn't configured for it or doesn't support it, the connection will fail entirely. + +--- + +## Creating the Resource + +In Pangolin, go into **Resources** and create a TCP or UDP route like you normally would — pointing it to your resource which accepts Proxy Protocol. + +Say I'm using `tcp-8888` with Pangolin. + +I configure it to hit my Proxy Protocol–enabled service such as Minecraft Paper or Velocity. + +It'll give you a **port** to put into the compose file and an **entryPoint** to add into the `traefik_config.yml`. + +Only do the second, not the first. + +--- + +## Add the EntryPoint + +Add an entrypoint in `traefik_config.yml` for the port you intend to use. + +```yaml +entryPoints: + tcp-22000: + address: ":22000/tcp" +``` + +I'm going to use `tcp-22000` for this, and in Traefik under **Gerbil**, I'm going to add the same mapping: + +```yaml + gerbil: + image: fosrl/gerbil + container_name: gerbil + restart: unless-stopped + ports: + - 51820:51820/udp + - 21820:21820/udp + - 443:443/tcp + - 80:80/tcp + - 22000:22000/tcp +``` + +--- + +## Find the Service Address + +Run the following command: + +```bash +docker exec pangolin curl http://localhost:3001/api/v1/traefik-config | jq +``` + +Look for the entry that resembles: + +```json + "tcp": { + "routers": { + "43-router": { + "entryPoints": [ + "tcp-8888" + ], + "service": "43-service", + "rule": "HostSNI(`*`)" +``` + +Follow this down further until you reach the service line — `43-service` in this example: + +```json + "services": { + "43-service": { + "loadBalancer": { + "servers": [ + { + "address": "100.89.128.4:58655" + } + ] + } + }, +``` + +Make a note of the address there. + +--- + +## Update Dynamic Configuration + +Go into `config/traefik_dynamic.yml` and add: + +### TCP Example + +```yaml +tcp: + routers: + minecraft-rtr: + rule: "HostSNI(`*`)" + entryPoints: + - "tcp-22000" + service: minecraft-svc + services: + minecraft-svc: + loadBalancer: + serversTransport: proxy-protocol-v1 # Can be named anything really as long as it matches the defined transport. + servers: + - address: "100.89.128.4:58655" + serversTransports: + proxy-protocol-v1: + proxyProtocol: + version: 1 +``` + +### UDP Example + +```yaml +tcp: + routers: + servicename-rtr: + entryPoints: + - "udp-22000" + service: servicename-svc + services: + servicename-svc: + loadBalancer: + serversTransport: proxyprotocol-udp + servers: + - address: "100.89.128.4:58655" + serversTransports: + proxyprotocol-udp: + proxyProtocol: + version: 1 +``` + +--- + +## Downstream Applications + +For downstream applications, you'll need to configure them to trust Proxy Protocol connections originating from the system where **Newt** connects to the service. + +For example: + +If the Newt is running on **Host B** at `192.168.1.5`, + +your service on **Host A** at `192.168.1.4` needs to trust `192.168.1.5` as a trusted Proxy Protocol source. + +Once Proxy Protocol is in play, the connection between Traefik and the backend **must** speak Proxy Protocol — otherwise it will refuse to connect. \ No newline at end of file