---
title: "New file"
description: "Description of your new file."
---

# Proxy Protocol (Advanced)

In Pangolin, make a TCP resource or UDP resource.  

> **Note:** Not all applications support Proxy Protocol. If you send Proxy Protocol headers to an application that isn't configured for it or doesn't support it, the connection will fail entirely.

---

## Creating the Resource

In Pangolin, go into **Resources** and create a TCP or UDP route like you normally would — pointing it to your resource which accepts Proxy Protocol.

Say I'm using `tcp-8888` with Pangolin.  

I configure it to hit my Proxy Protocol–enabled service such as Minecraft Paper or Velocity.

It'll give you a **port** to put into the compose file and an **entryPoint** to add into the `traefik_config.yml`.  

Only do the second, not the first.

---

## Add the EntryPoint

Add an entrypoint in `traefik_config.yml` for the port you intend to use.

```yaml
entryPoints:
  tcp-22000: 
    address: ":22000/tcp"
```

I'm going to use `tcp-22000` for this, and in Traefik under **Gerbil**, I'm going to add the same mapping:

```yaml
  gerbil:
    image: fosrl/gerbil
    container_name: gerbil
    restart: unless-stopped
    ports:
     - 51820:51820/udp
     - 21820:21820/udp
     - 443:443/tcp
     - 80:80/tcp
     - 22000:22000/tcp
```

---

## Find the Service Address

Run the following command:

```bash
docker exec pangolin curl http://localhost:3001/api/v1/traefik-config | jq
```

Look for the entry that resembles:

```json
  "tcp": {
    "routers": {
      "43-router": {
        "entryPoints": [
          "tcp-8888"
        ],
        "service": "43-service",
        "rule": "HostSNI(`*`)"
```

Follow this down further until you reach the service line — `43-service` in this example:

```json
    "services": {
      "43-service": {
        "loadBalancer": {
          "servers": [
            {
              "address": "100.89.128.4:58655"
            }
          ]
        }
      },
```

Make a note of the address there.

---

## Update Dynamic Configuration

Go into `config/traefik_dynamic.yml` and add:

### TCP Example

```yaml
tcp:
  routers:
    minecraft-rtr:
      rule: "HostSNI(`*`)"
      entryPoints:
        - "tcp-22000"
      service: minecraft-svc
  services:
    minecraft-svc:
      loadBalancer:
        serversTransport: proxy-protocol-v1 # Can be named anything really as long as it matches the defined transport.
        servers:
          - address: "100.89.128.4:58655"
  serversTransports:
    proxy-protocol-v1:
      proxyProtocol:
        version: 1 # Velocity can handle v2 also but in in doubt use version over version 2.
```

### UDP Example

```yaml
tcp:
  routers:
    servicename-rtr:
      entryPoints:
        - "udp-22000"
      service: servicename-svc
  services:
    servicename-svc:
      loadBalancer:
        serversTransport: proxyprotocol-udp
        servers:
          - address: "100.89.128.4:58655"
  serversTransports:
    proxyprotocol-udp:
      proxyProtocol:
        version: 1
```

---

## Downstream Applications

For downstream applications, you'll need to configure them to trust Proxy Protocol connections originating from the system where **Newt** connects to the service.

For example:  

If the Newt is running on **Host B** at `192.168.1.5`,  

your service on **Host A** at `192.168.1.4` needs to trust `192.168.1.5` as a trusted Proxy Protocol source.

Once Proxy Protocol is in play, the connection between Traefik and the backend **must** speak Proxy Protocol — otherwise it will refuse to connect.