This topic describes how Network Load Balancer (NLB) obtains client IP addresses and how to use Proxy Protocol to obtain client IP addresses.

Obtain client IP addresses

Obtain client IP addresses
  • In normal cases, the source IP addresses obtained on the backend servers of NLB are the client IP addresses. You do not need to enable Proxy Protocol on listeners. Make sure that you have enabled client IP preservation for server groups. For more information, see the following topics:Configure client IP preservation
  • In the following scenarios, NLB cannot pass source IP addresses. You must enable Proxy Protocol on listeners to obtain the client IP addresses.
    Note Proxy Protocol can be used by NLB listeners to pass client IP addresses to backend servers. After Proxy Protocol is enabled, NLB adds a TCP or UDP header to the request without modifying the existing headers. The TCP header carries information such as the source IP address, destination IP address, source port, and destination port. NLB only supports Proxy Protocol v2. For more information, see The PROXY protocol.
    ScenarioDescription
    Scenario 1Clients use IPv6 addresses to access backend IPv4 services of NLB
    Scenario 2Listeners that use TCP over SSL are enabled

    You cannot associate listeners that use SSL over TCP with server groups for which client IP preservation is enabled.

    Scenario 3Backend servers of the IP type are added

    You cannot enable client IP preservation for server groups of the IP type. If a backend server group of the IP type is added to an NLB instance, and you want to obtain client IP addresses, you must enable Proxy Protocol on the listener.

Procedure

Prerequisites

  • An NLB instance is created and a listener is added to the instance. For more information, see Create and manage an NLB instance.
  • An available server group is created and backend servers are added. For more information, see Create and manage a server group.
    • Services are deployed on the backend servers. In this example, an NGINX service is deployed on the backend servers. For more information, see Manually build an LNMP environment on a CentOS 7 instance.
    • Before you enable Proxy Protocol, make sure that your backend servers support Proxy Protocol v2.
      Note NGINX Plus R16 and later versions and open source NGINX 1.13.11 and later versions support Proxy Protocol v2.
  • If a server group is associated with multiple NLB listeners, you must enable Proxy Protocol for all listeners.

Step 1: Enable Proxy Protocol for the listener

You can enable Proxy Protocol when you create or modify a listener. In this example, Proxy Protocol is enabled when you create a listener. If you have added a listener to the NLB instance but have not enabled Proxy Protocol, you can enable Proxy Protocol when you modify the listener. For more information, see Modify a listener

  1. Log on to the NLB console.
  2. In the top navigation bar, select the region of the NLB instance.
  3. On the Instances page, find the NLB instance that you want to manage and use one of the following methods to open the listener configuration wizard:
    • Click Create Listener in the Actions column.
    • Click the ID of the NLB instance and click the Listener tab. On the Listener tab, click Create Listener above the listener list.
    • Click the ID of the NLB instance and click the Listener tab. On the Listener tab, click Create Listener in the NLB configuration wizard.
    • Click the ID of the NLB instance and click the Listener tab. On the Listener tab, click Create Listener in the upper-right corner.
  4. On the Configure Listener wizard page, set the following parameters and click Next:

    Turn on the Advanced Settings switch and turn on Enable Proxy Protocol. Then, NLB can use Proxy Protocol to pass client IP addresses to backend servers.

    The following section describes the parameters that are relevant to this topic. For more information about how to configure other parameters, see the following topics:
  5. Optional:On the Configure SSL Certificate wizard page, select a certificate from the Server Certificate drop-down list and set Advanced Settings.
    This step is required only for listeners that use TCP over SSL. For more information, see Create a listener that uses SSL over TCP.
  6. On the Select Server Group wizard page, select the created server group, view the backend server information, and then click Next.
  7. On the Confirm wizard page, confirm the configurations and click Submit.

Step 2: Enable Proxy Protocol for the listening service of the backend servers

After you enable Proxy Protocol for listeners, you must enable Proxy Protocol for the listening service of backend servers. Otherwise, issues such as forwarding failure or health check failure may occur.

Log on to the backend servers and run the following command to enable Proxy Protocol. 
http {
    #...
    server {
        listen 80   proxy_protocol;
        listen 443  ssl proxy_protocol;
        #...
    }
}
   
stream {
    #...
    server {
        listen 12345 proxy_protocol;
        #...
    }
}

Step 3: Obtain client IP addresses

  • The following example shows how an IPv4 client IP address is preserved in the Proxy Protocol v2 header in the binary format.IPv4
  • The following example shows how an IPv6 client IP address is preserved in the Proxy Protocol v2 header in the binary format.IPv6