Proxy Protocol Support

The PROXY protocol provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies.

It is designed to require little changes to existing components and to limit the performance impact caused by the processing of the transported information. Detailed information on the proxy protocol can be found on the haproxy website: https://www.haproxy.com/blog/haproxy/proxy-protocol/.

The PROXY protocol consists of a single header which is transmitted by the proxy to the destination before the standard network communication takes place. This is illustrated in the following diagram:

WebSEAL has the ability to accept the proxy protocol header and then use the client address information contained within the header as the 'real' address of the client. The client address is used in things such as authorization decisions (network-based POPs), request logs, and auditing records. WebSEAL will recognize the proxy protocol header for both version 1 and version 2 of the proxy protocol.

The proxy protocol support can be enabled on a per interface and protocol basis using the http-proxy-protocol and https-proxy-protocol configuration entries. By default, support for the proxy protocol is disabled.

If the proxy protocol support is enabled for an interface WebSEAL will expect the proxy protocol header to be supplied. If the header is not supplied an error message will be logged and the connection will be immediately closed.

From a security standpoint it is important to restrict access to the WebSEAL interface when proxy protocol support has been enabled so that an ‘untrusted’ client cannot forge the proxy header and as a result spoof the address information of the client. WebSEAL provides the ability to specify rules which are used to determine whether a client is allowed to connect to WebSEAL. For more information, see Client IP Rules.