Enable PROXY Protocol in Apache

From Sympl Wiki
Jump to navigation Jump to search

PROXY Protocol is a method of passing client connection information through a reverse proxy, so while the TCP connection itself will come from the reverse proxy, the destination server will still be able to log relevant IP address and perform IP-address filtering.

This is typically used in situations where the server running Sympl does not have a public IP address, or is behind a IPv4 to IPv6 Proxy, such as the one provided by Mythic Beasts for servers without an IPv4 address like their hosted Raspberry Pi service.

This article is Community Documentation and any changes may not be compatible with future updates of Sympl, and is therefore not officially supported.
The Sympl Forum may have more information.

Enabling PROXY Protocol for all sites

This will enable PROXY Protocol for all sites on the server, and will typically be the option you want if you are using a reverse proxy.

Note that all connections, both IPv4 and IPv6 will need to be sent through the proxy for this to work.

Create the file /etc/apache2/conf-available/proxy-protocol.conf containing the text:

LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
RemoteIPProxyProtocol On
RemoteIPHeader X-Forwarded-For

Next, you need to allow the local server addresses to communicate with the server directly to allow the built-in monitoring in Sympl to continue to work normally. To do this, run:

echo "RemoteIPProxyProtocolExceptions ::1 $(sympl-ip -a)" >> /etc/apache2/conf-available/proxy-protocol.conf

Finally, run sudo a2enmod remoteip and sudo a2enconf proxy-protocol, then reload the Apache configuration with sudo service apache2 reload.

Once that is done, enable the PROXY protocol option on the reverse proxy, and all traffic should then be logged with the relevant IP addresses.

Undoing the configuration change

In the event you need to reverse this, simply run sudo a2disconf proxy-protocol to disable the config file and restart Apache, but make sure that you also disable the PROXY protocol headers on the reverse proxy or inbound connections will fail.

Enabling PROXY Protocol on a site-by-site basis

Unfortunately this is more complicated as the relevant lines would need to be added to each configuration, but this can potentially be done using custom additions to the Apache configuration.