Skip to content

Add support for proxyprotocol for DoT#473

Open
peterverraedt wants to merge 1 commit intoAdguardTeam:masterfrom
peterverraedt:master
Open

Add support for proxyprotocol for DoT#473
peterverraedt wants to merge 1 commit intoAdguardTeam:masterfrom
peterverraedt:master

Conversation

@peterverraedt
Copy link

@peterverraedt peterverraedt commented Nov 16, 2025

Support the proxy protocol in TCP and TLS listeners, to allow Adguard to be placed behind a load balancer/proxy such as nginx or traefik. If the connection is made from one of the trusted proxies ip addresses, it is allowed - but not required - that TCP and TLS connections contain a proxy protocol header to pass source connection information. If a connection is made from other ip addresses, no proxy protocol header is allowed.

We don't allow proxy protocol in the HTTPS or QUIC listeners as there the source ip information can be passed by HTTP headers instead.

This fixes AdguardTeam/AdGuardHome#2798.

windsurf-bot[bot]
windsurf-bot bot reviewed Nov 16, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

@peterverraedt
Copy link
Author

peterverraedt commented Nov 16, 2025

/windsurf-review

windsurf-bot[bot]
windsurf-bot bot reviewed Nov 16, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 To request another review, post a new comment with "/windsurf-review".

@peterverraedt
Integrate proxyproto for TCP and TLS listeners
8f35270 
If the connection is made from one of the trusted proxies ip addresses,
it is allowed that TCP and TLS connections contain a proxyprotocol
header to pass source connection information. This in particular allows
dns over tls behind a load balancer, while keeping source ip address
information.

Signed-off-by: Peter Verraedt <peter@verraedt.be>
@peterverraedt
Copy link
Author

peterverraedt commented Nov 22, 2025

/windsurf-review

windsurf-bot[bot]
windsurf-bot bot reviewed Nov 22, 2025
View reviewed changes
Copy link

@windsurf-bot windsurf-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 🤙

💡 To request another review, post a new comment with "/windsurf-review".

@xduugu
Copy link

xduugu commented Dec 3, 2025

Thanks a lot for your work on this, @peterverraedt.

Have you happened to look at the UDP support as well, and can you estimate how difficult it would be to implement? As far as I know, pires/go-proxyproto already supports proxy protocol v2 for UDP.

@brknkfr
Copy link

brknkfr commented Mar 1, 2026
edited
Loading

Please include this PR into a next release (of AdGuardHome). UDP support doesn't make sense at the moment as more common proxy server (like NGINX or Caddy) don't support the PROXY protocol version 2 yet which is needed for UDP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@windsurf-bot windsurf-bot[bot] windsurf-bot[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support PROXY Protocol

3 participants

@peterverraedt @xduugu @brknkfr