The lost address problem
When a connection passes through a load balancer or proxy, the backend server sees the proxy's address as the source, not the real client. This breaks logging, rate limiting, and geolocation that depend on the true client IP. For HTTP, headers like X Forwarded For can carry the original address, but they only work for protocols that the proxy parses.
What the proxy protocol does
- It prepends a small header to the start of the forwarded connection before any application data.
- The header carries the original source and destination addresses and ports.
- It works for any TCP based protocol, not just HTTP, because it sits below the application layer.
- Both proxy and backend must agree to speak it, or the header is misread as application data.
The key advantage over header tricks is generality: because the proxy protocol prefixes the connection rather than editing application messages, it preserves the client IP for databases, mail, and other non HTTP services. The catch is that the backend must be configured to expect the header on every connection from the proxy. A mismatch is dangerous, since a backend reading the header as data corrupts the session or a backend ignoring it loses the address.
Key idea
The proxy protocol prepends a small header carrying the original client address and port to a forwarded connection, preserving the real client IP for any TCP protocol as long as proxy and backend both expect it.