Skip to Content
Network Load Balancer NLBBest PracticesProxy

Best Practices

Obtaining the client’s real IP through the ProxyProtocol protocol

Network Load Balancing NLB supports the back-end server to get the client’s real IP address. Enable the Proxy protocol when you create a listener, and the back-end service node can obtain the client’s real IP address.

Proxy Protocol Description

Proxy Protocol is a communication protocol used to pass the client’s original network connection information between a proxy server and a back-end server.

Generally, when a proxy server forwards a client request to a back-end server, it rewrites the request header to replace the client’s source IP address and port with the proxy server’s own information. In this way, the back-end server cannot get the real network connection information of the client.

With Proxy Protocol, the proxy server encapsulates the client’s original network connection information in the request header when forwarding the request and sends it to the back-end server. By parsing the Proxy Protocol header, the back-end server can obtain the client’s real network connection information, including source IP address, source port, and transport protocol.

By using Proxy Protocol, the back-end server can accurately obtain the client’s original network connection information, so that it can perform more accurate logging, access control, traffic monitoring and other operations.

  • To enable the Proxy Protocol function, it is necessary for the back-end service nodes to support the protocol in order to work properly. If the back-end service node does not have the ability to parse the Proxy Protocol protocol, directly turning on the function will lead to abnormal parsing of the back-end service, thus affecting service availability.
  • NLB listening supports carrying raw connection information (source IP, destination IP, source port, destination port, etc.) via Proxy Protocol and adding it to the TCP or UDP header.
  • NLB only supports Proxy Protocol v2. Proxy Protocol v2 supports multiple transport protocols such as TCP and UDP, see The PROXY protocol for more information.

procedure

Step 1: Enable Proxy Protocol for NLB Listeners

  1. Log in to the Network Load Balancing NLB console, select the target instance, and click the instance ID.
  2. On the Instance Details page, click the Listener Management tab, find the target listener, and click Change Configuration.
  3. On the Listener Edit page, you can turn on ProxyProtocol.

Step 2: Configure the Proxy Protocol for the back-end server.

CentOS 7.9 operating system, Nginx 1.20.1 version configuration for example

  1. Log in to the backend server and execute the nginx -t command to check the path of the configuration file. The default path is usually /etc/nginx/nginx.conf, but please refer to the actual environment.
  2. Modify the Proxy Protocol in the configuration file and save it, please refer to the description below.
http {# Make sure to set $proxy_protocol_addr, this variable is used to log the client's real IPlog_format main '$proxy_protocol_addr - $remote_addr- $remote_user [$time_local] '$request' ' '$status $body_bytes_sent '$http_referer' '''$http_user_agent' '$http_x_forwarded_for''';# Take the example of listening on port 80 and add the proxy_protocol field server {listen 80   proxy_protocol;#...
  }
}
  1. Execute the sudo nginx -s reload command to reload the Nginx configuration file.

Ubuntu 22.04 OS, Nginx 1.20.1 configuration example

  1. Log in to the server and execute the sudo nginx -t command to check the configuration file path. The output will show the path to the main configuration file (usually /etc/nginx/nginx.conf), while the server block may be located in a subfile (e.g. default) under /etc/nginx/sites-available/.

  2. To modify the Nginx configuration, edit the main configuration file, sudo nano /etc/nginx/nginx.conf Modify the log_format in the http block and add the $proxy_protocol_addr variable:

http {log_format main '$proxy_protocol_addr - $remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';# ...}
  1. Edit the Server configuration file, sudo nano /etc/nginx/sites-available/default In the server block where the Proxy Protocol needs to be enabled, change the listen directive
server {
    listen 80 proxy_protocol; # Enable Proxy Protocol (HTTP)
    listen [::]:80 proxy_protocol; # Enable Proxy Protocol (HTTP)...
    # Other configurations...
}
  1. Check the configuration and reload Nginx. Test the configuration syntax, sudo nginx -t , if the output syntax is ok and test is successful the configuration is correct.

Reload Nginx:

sudo systemctl reload nginx
# or use the traditional command
sudo nginx -s reload

Step 3: Verify that the back-end server can get the client’s real IP

When Nginx is used as the back-end service node, you can check the Nginx logs to determine whether you have successfully obtained the client’s real IP address.

The default path to the Nginx log file is: /var/log/nginx/access.log

In each line of the log, the IP address corresponding to the $proxy_protocol_addr variable is the client’s real IP address.

Use NLB to mount service nodes of cross-region VPCTOA