Enable Layer 4 listeners to retrieve client IP addresses - Server Load Balancer

This topic describes how to configure the Proxy protocol to enable Layer 4 listeners of Classic Load Balancer (CLB) to retrieve client IP addresses.

How Layer 4 listeners receive client IP addresses

In most cases, IP addresses of clients are passed to Layer 4 listeners of CLB. The source IP addresses received by backend servers are the client IP addresses. You do not need to enable the Proxy protocol.
However, if clients access Layer 4 listeners of CLB by using IPv6 addresses, the source IP addresses are not passed to the Layer 4 listeners. In this case, you need to enable the Proxy protocol for the Layer 4 listeners to retrieve client IP addresses.
Note
After the Proxy protocol is enabled for Layer 4 listeners of CLB, the source IP address, destination IP address, source port, and destination port of a request are added to the TCP or UDP header. This information is not dropped or overwritten. CLB supports Proxy Protocol v2. For more information, see The PROXY protocol.

Configure the Proxy protocol to enable Layer 4 listeners to retrieve client IP addresses

Prerequisites

A CLB instance is created. For more information, see Create a CLB instance.
A server is created and available. The server is used as a backend server of the CLB instance when you create a listener.
- Services are deployed on the backend server. In this example, an NGINX service is deployed on the backend server. For more information, see Deploy an LNMP stack on a CentOS 7 instance.
- Before you enable the Proxy protocol, make sure that your backend servers support Proxy Protocol v2.
  NGINX Plus R16 and later versions and open source NGINX 1.13.11 and later versions support Proxy Protocol v2.
If multiple listeners of the CLB instances are associated with the same backend server group, enable the Proxy protocol for all the listeners.

Step 1: Create a TCP or UDP listener

You can enable the Proxy protocol when you create or modify a listener. In this example, the Proxy protocol is enabled when the listener is created. If a listener is added to the CLB instance but the Proxy protocol is disabled, you can enable the Proxy protocol by modifying the listener configurations.

Log on to the CLB console.
In the top navigation bar, select the region where the CLB instance resides.
On the Instance Management page, find the instance that you want to manage and click Configure Listener in the Actions column.
Follow the configuration wizard to configure the listener.
- Select Listener Protocol: Select TCP or UDP.
- Proxy Protocol: Click Modify next to the Advanced section and select Use the proxy protocol to pass client IP addresses to backend servers. Select I Understand and Accept Preceding Risks and click Next.
For more information, see Add a TCP listener or Add a UDP listener.

Step 2: Enable the Proxy protocol for the listener

After you enable the Proxy protocol for a listener, you must also enable the Proxy protocol for the associated backend server. Otherwise, traffic forwarding or health checks may fail.

Log on to the backend server and run the following command to enable the Proxy protocol to retrieve client IP addresses:

http {
    #...
    server {
        listen 80   proxy_protocol;
        listen 443  ssl proxy_protocol;
        #...
    }
}
   
stream {
    #...
    server {
        listen 12345 proxy_protocol;
        #...
    }
}

Step 3: Retrieve client IP addresses

The following example shows how an IPv4 client IP address is preserved in the Proxy Protocol v2 header in the binary format.
The following example shows how an IPv6 client IP address is preserved in the Proxy Protocol v2 header in the binary format.

Server Load Balancer:Enable Layer 4 listeners to retrieve client IP addresses