PROXY protocol support for Streams

backend/internal/nginx.js

@@ -157,6 +157,8 @@ const internalNginx = {
 						{ caching_enabled: host.caching_enabled },
 						{ block_exploits: host.block_exploits },
 						{ allow_websocket_upgrade: host.allow_websocket_upgrade },
+						{ enable_proxy_protocol: host.enable_proxy_protocol },
+						{ load_balancer_ip: host.load_balancer_ip },
 						{ http2_support: host.http2_support },
 						{ hsts_enabled: host.hsts_enabled },
 						{ hsts_subdomains: host.hsts_subdomains },

backend/migrations/20260425014441_proxy_protocol.js

@@ -0,0 +1,41 @@
+const migrate_name = "proxy_protocol";
+import { migrate as logger } from "../logger.js";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+	logger.info(`[${migrate_name}] Migrating Up...`);
+
+	return knex.schema.table("proxy_host", (table) => {
+		table.integer("enable_proxy_protocol").notNull().unsigned().defaultTo(0);
+		table.string("load_balancer_ip").notNull().defaultTo("");
+	}).then(() => {
+		logger.info(`[${migrate_name}] proxy_host Table altered`);
+	});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const down = (knex) => {
+	logger.info(`[${migrate_name}] Migrating Down...`);
+
+	return knex.schema.table("proxy_host", (table) => {
+		table.dropColumn("enable_proxy_protocol");
+		table.dropColumn("load_balancer_ip");
+	})
+	.then(() => {
+		logger.info(`[${migrate_name}] proxy_host Table altered`);
+	});
+};
+
+export { up, down };

backend/migrations/20260425014442_proxy_protocol_stream.js

@@ -0,0 +1,40 @@
+const migrate_name = "proxy_protocol_stream";
+import { migrate as logger } from "../logger.js";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+    logger.info(`[${migrate_name}] Migrating Up...`);
+
+    return knex.schema.table("stream", (table) => {
+        table.integer("enable_proxy_protocol").notNull().unsigned().defaultTo(0);
+    }).then(() => {
+        logger.info(`[${migrate_name}] stream Table altered`);
+    });
+
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const down = (knex) => {
+    logger.info(`[${migrate_name}] Migrating Down...`);
+
+    return knex.schema.table("stream", (table) => {
+        table.dropColumn("enable_proxy_protocol");
+    })
+    .then(() => {
+        logger.info(`[${migrate_name}] stream Table altered`);
+    });
+};
+
+export { up, down };

backend/models/proxy_host.js

@@ -22,6 +22,7 @@ const boolFields = [
 	"hsts_enabled",
 	"hsts_subdomains",
 	"trust_forwarded_proto",
+	"enable_proxy_protocol",
 ];
 
 class ProxyHost extends Model {

backend/models/stream.js

@@ -7,7 +7,13 @@ import User from "./user.js";
 
 Model.knex(db());
 
-const boolFields = ["is_deleted", "enabled", "tcp_forwarding", "udp_forwarding"];
+const boolFields = [
+	"is_deleted",
+	"enabled",
+	"tcp_forwarding",
+	"udp_forwarding",
+	"enable_proxy_protocol"
+];
 
 class Stream extends Model {
 	$beforeInsert() {

backend/schema/components/proxy-host-object.json

@@ -17,6 +17,8 @@
 		"advanced_config",
 		"meta",
 		"allow_websocket_upgrade",
+		"enable_proxy_protocol",
+		"load_balancer_ip",
 		"http2_support",
 		"forward_scheme",
 		"enabled",
@@ -84,6 +86,18 @@
 			"type": "boolean",
 			"example": true
 		},
+		"enable_proxy_protocol": {
+			"description": "Enable PROXY Protocol support",
+			"example": true,
+			"type": "boolean"
+		},
+		"load_balancer_ip": {
+			"description": "Load balancer or TCP proxy IP / CIDR range",
+			"type": "string",
+			"minLength": 0,
+			"maxLength": 255,
+			"example": "10.0.9.3"
+		},
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},

backend/schema/components/stream-object.json

@@ -12,7 +12,8 @@
 		"tcp_forwarding",
 		"udp_forwarding",
 		"enabled",
-		"meta"
+		"meta",
+		"enable_proxy_protocol"
 	],
 	"additionalProperties": false,
 	"properties": {
@@ -44,7 +45,7 @@
 				},
 				{
 					"type": "string",
-					"format": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$"
+					"pattern": "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}$"
 				},
 				{
 					"type": "string",
@@ -70,6 +71,11 @@
 		"enabled": {
 			"$ref": "../common.json#/properties/enabled"
 		},
+		"enable_proxy_protocol": {
+			"description": "Enable PROXY Protocol support",
+			"type": "boolean",
+			"example": false
+		},
 		"certificate_id": {
 			"$ref": "../common.json#/properties/certificate_id"
 		},

backend/schema/paths/nginx/proxy-hosts/get.json

@@ -53,6 +53,8 @@
 										"nginx_err": null
 									},
 									"allow_websocket_upgrade": false,
+									"enable_proxy_protocol": false,
+									"load_balancer_ip": "",
 									"http2_support": false,
 									"forward_scheme": "http",
 									"enabled": true,

backend/schema/paths/nginx/proxy-hosts/hostID/get.json

@@ -50,6 +50,8 @@
 									"nginx_err": null
 								},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/schema/paths/nginx/proxy-hosts/hostID/put.json

@@ -71,6 +71,12 @@
 						"allow_websocket_upgrade": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/allow_websocket_upgrade"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/enable_proxy_protocol"
+						},
+						"load_balancer_ip": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/load_balancer_ip"
+						},
 						"access_list_id": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/access_list_id"
 						},
@@ -119,6 +125,8 @@
 									"nginx_err": null
 								},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/schema/paths/nginx/proxy-hosts/post.json

@@ -63,6 +63,12 @@
 						"allow_websocket_upgrade": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/allow_websocket_upgrade"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/enable_proxy_protocol"
+						},
+						"load_balancer_ip": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/load_balancer_ip"
+						},
 						"access_list_id": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/access_list_id"
 						},
@@ -116,6 +122,8 @@
 								"advanced_config": "",
 								"meta": {},
 								"allow_websocket_upgrade": false,
+								"enable_proxy_protocol": false,
+								"load_balancer_ip": "",
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,

backend/schema/paths/nginx/streams/get.json

@@ -41,6 +41,7 @@
 										"nginx_err": null
 									},
 									"enabled": true,
+									"enable_proxy_protocol": false,
 									"certificate_id": 0
 								}
 							]

backend/schema/paths/nginx/streams/post.json

@@ -41,6 +41,9 @@
 						"certificate_id": {
 							"$ref": "../../../components/stream-object.json#/properties/certificate_id"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../components/stream-object.json#/properties/enable_proxy_protocol"
+						},
 						"meta": {
 							"$ref": "../../../components/stream-object.json#/properties/meta"
 						},
@@ -56,6 +59,7 @@
 					"tcp_forwarding": true,
 					"udp_forwarding": false,
 					"certificate_id": 0,
+					"enable_proxy_protocol": false,
 					"meta": {}
 				}
 			}
@@ -83,6 +87,7 @@
 									"nginx_err": null
 								},
 								"enabled": true,
+								"enable_proxy_protocol": false,
 								"owner": {
 									"id": 1,
 									"created_on": "2024-10-09T02:33:16.000Z",

backend/schema/paths/nginx/streams/streamID/get.json

@@ -42,6 +42,7 @@
 									"nginx_err": null
 								},
 								"enabled": true,
+								"enable_proxy_protocol": false,
 								"certificate_id": 0
 							}
 						}

backend/schema/paths/nginx/streams/streamID/put.json

@@ -48,6 +48,9 @@
 						"certificate_id": {
 							"$ref": "../../../../components/stream-object.json#/properties/certificate_id"
 						},
+						"enable_proxy_protocol": {
+							"$ref": "../../../../components/stream-object.json#/properties/enable_proxy_protocol"
+						},
 						"meta": {
 							"$ref": "../../../../components/stream-object.json#/properties/meta"
 						}
@@ -78,6 +81,7 @@
 									"nginx_err": null
 								},
 								"enabled": true,
+								"enable_proxy_protocol": false,
 								"owner": {
 									"id": 1,
 									"created_on": "2024-10-09T02:33:16.000Z",

backend/templates/_listen.conf

@@ -1,20 +1,38 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 88 proxy_protocol;
+  listen 80;
+{% if ipv6 -%}
+  listen [::]:88 proxy_protocol;
+  listen [::]:80;
+{% endif %}
+{% else -%}
   listen 80;
 {% if ipv6 -%}
   listen [::]:80;
 {% else -%}
   #listen [::]:80;
+{% endif %}   
 {% endif %}
 {% if certificate -%}
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 444 ssl proxy_protocol;
+  listen 443 ssl;
+{% if ipv6 -%}
+  listen [::]:444 ssl proxy_protocol;
+  listen [::]:443 ssl;
+{% endif %}
+{% else -%}
   listen 443 ssl;
 {% if ipv6 -%}
   listen [::]:443 ssl;
 {% else -%}
   #listen [::]:443;
 {% endif %}
+{% endif %}
 {% endif %}
   server_name {{ domain_names | join: " " }};
 {% if http2_support == 1 or http2_support == true %}
   http2 on;
 {% else -%}
   http2 off;
-{% endif %}
+{% endif %}

backend/templates/_proxy_protocol.conf

@@ -0,0 +1,4 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
+set_real_ip_from {{ load_balancer_ip }};
+real_ip_header proxy_protocol;
+{% endif %}

backend/templates/proxy_host.conf

@@ -15,6 +15,7 @@ server {
 {% include "_exploits.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
+{% include "_proxy_protocol.conf" %}
 
 {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
 proxy_set_header Upgrade $http_upgrade;

backend/templates/stream.conf

@@ -5,8 +5,8 @@
 {% if enabled %}
 {% if tcp_forwarding == 1 or tcp_forwarding == true -%}
 server {
-  listen {{ incoming_port }} {%- if certificate %} ssl {%- endif %};
-  {% unless ipv6 -%} # {%- endunless -%} listen [::]:{{ incoming_port }} {%- if certificate %} ssl {%- endif %};
+  listen {{ incoming_port }} {%- if certificate %} ssl {%- endif %} {%- if enable_proxy_protocol == 1 or enable_proxy_protocol == true %} proxy_protocol {%- endif %};
+  {% unless ipv6 -%} # {%- endunless -%} listen [::]:{{ incoming_port }} {%- if certificate %} ssl {%- endif %} {%- if enable_proxy_protocol == 1 or enable_proxy_protocol == true %} proxy_protocol {%- endif %};
 
   {%- include "_certificates_stream.conf" %}
 

docker/docker-compose.dev.yml

@@ -9,7 +9,9 @@ services:
     ports:
       - 3080:80
       - 3081:81
+      - 3088:88
       - 3443:443
+      - 3444:444
     networks:
       nginx_proxy_manager:
         aliases:

docs/src/advanced-config/index.md

@@ -248,3 +248,16 @@ On startup, we generate a resolvers directive for Nginx unless this is defined:
 
 In this configuration, all DNS queries performed by Nginx will fall to the `/etc/hosts` file
 and then the `/etc/resolv.conf`.
+
+## Using PROXY protocol
+
+If you are using PROXY protocol support for any proxy host or stream you will need to expose ports `88` and `444` for HTTP and HTTPS listeners with PROXY protocol support.
+```yml
+    ports:
+      # Public HTTP Port with PROXY protocol:
+      - '88:88'
+      # Public HTTPS Port with PROXY protocol:
+      - '444:444'
+```
+
+NPM will still listen on ports `80` and `443` for proxy hosts and streams where the PROXY protocol option has not been enabled.