Skip to content

feat: support passing proxy_protocol to reality backend#2693

Open
aJC7737 wants to merge 1 commit into
MetaCubeX:Alphafrom
aJC7737:Alpha
Open

feat: support passing proxy_protocol to reality backend#2693
aJC7737 wants to merge 1 commit into
MetaCubeX:Alphafrom
aJC7737:Alpha

Conversation

@aJC7737

@aJC7737 aJC7737 commented Apr 12, 2026
edited
Loading

Copy link
Copy Markdown

TL;DR: This change adds proxy-protocol support to Reality inbound so backends (for example NGINX) can see the original client source address.

What This PR Adds

  1. New Reality inbound option: proxy-protocol

    • 0: disabled (default)
    • 1: send PROXY protocol v1 header
    • 2: send PROXY protocol v2 header

  2. PROXY header forwarding for Reality backend connections

    • Adds ProxyProtocol to Reality runtime config.
    • Validates allowed values (0/1/2).
    • When enabled, writes the PROXY header immediately after dialing the Reality backend and before normal payload forwarding.

  3. Source/destination address propagation

    • Captures inbound connection remote/local TCP addresses.
    • Passes them through context so generated PROXY headers contain:
      • original client source address/port
      • inbound listener destination address/port

  4. PROXY protocol encoding support

    • Implements dedicated builders for:
      • PROXY v1 (text format)
      • PROXY v2 (binary format)

  5. Documentation updates

    • Adds reality-config.proxy-protocol examples in config documentation.

Tests

Added/updated unit tests covering:

  • disabled mode (proxy-protocol = 0, no header emitted)
  • v1 header generation/writing
  • v2 header generation/writing
  • missing address context error path
  • invalid version error path

Scope

  • Inbound Reality listener path only.
  • No outbound behavior changes.

@wwqgtxx wwqgtxx force-pushed the Alpha branch 2 times, most recently from 46220ad to e0a42d4 Compare April 16, 2026 02:31
@aJC7737

aJC7737 commented May 8, 2026

Copy link
Copy Markdown
Author

Follow-up update for this PR:

Since the previous revision, I added a few safety/completeness improvements around the new Reality proxy-protocol support:

Newly added changes

  1. Robust PROXY header writes

    • Changed header writing to use a full write path instead of a single conn.Write(...).
    • This avoids short-write edge cases that could otherwise send an incomplete PROXY header to the backend.

  2. Stricter address-family handling

    • PROXY v1/v2 now only encode:
      • IPv4 when both source/destination are IPv4
      • IPv6 when both source/destination are IPv6
    • Mixed-family cases now fail explicitly instead of falling through into an unintended encoding path.

  3. Expanded unit tests

    • Added IPv6 test coverage for both PROXY v1 and PROXY v2
    • Added mixed IPv4/IPv6 family mismatch tests
    • Added config validation coverage for invalid proxy-protocol values

  4. Documentation clarification

    • Updated config examples to clarify that proxy-protocol passes the original source/destination address information to the backend
    • Noted that the backend must support Proxy Protocol

Current status summary

This PR adds proxy-protocol support to Reality inbound backend forwarding.

Behavior

  • New Reality inbound option: proxy-protocol
    • 0: disabled
    • 1: send PROXY protocol v1 header
    • 2: send PROXY protocol v2 header

Implementation

  • Adds ProxyProtocol to Reality inbound config and runtime config
  • Validates accepted values at build time
  • Captures accepted inbound connection addresses:
    • source: client remote address
    • destination: listener local address
  • Passes these through context into the Reality backend dial path
  • Writes the PROXY header to the backend connection before normal payload forwarding

Scope

  • Reality inbound/backend path only
  • No outbound behavior changes

Test status

  • Focused listener/reality tests pass
  • Unit coverage now includes:
    • disabled mode
    • v1/v2 IPv4 encoding
    • v1/v2 IPv6 encoding
    • missing address context
    • invalid version
    • invalid config value
    • mixed-family rejection

This should make the feature safer and easier to reason about in edge cases.

@wwqgtxx wwqgtxx force-pushed the Alpha branch 5 times, most recently from 61b8d7f to 17bed79 Compare May 15, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aJC7737