Enable Proxy protocol
Because Cloudflare intercepts packets before forwarding them to your server, if you were to look up the client IP, you would see Cloudflare’s IP rather than the true client IP.
Some services you run may require knowledge of the true client IP. In those cases, you can use a proxy protocol for Cloudflare to pass on the client IP to your service. Sending proxy information along is dependent on whether TCP or UDP is used. For TCP, Spectrum supports adding Proxy Protocol v1 ↗, which is the human readable version supported by Amazon ELB and NGINX ↗. For UDP applications, Cloudflare has developed a custom proxy protocol called Simple Proxy Protocol.
This feature requires an Enterprise plan. If you would like to upgrade, contact your account team.
- Log in to the Cloudflare dashboard ↗.
- Select Spectrum.
- Locate the application that will use the PROXY protocol and select Configure.
- From the dropdown, select PROXY Protocol v1.
When TCP applications are configured to use PROXY Protocol v1, Cloudflare will prepend each inbound TCP connection with the PROXY Protocol plain-text header.
PROXY Protocol prepends every connection with a header reporting the client IP address and port. A PROXY Protocol plain-text header has the format:
An example PROXY Protocol line for an IPv4 address would look like:
An example PROXY Protocol line for an IPv6 address would look like:
- Log in to the Cloudflare dashboard ↗.
- Select Spectrum.
- Locate the application that will use the PROXY protocol and select Configure.
- From the dropdown, select PROXY Protocol v2.
When TCP applications are configured to use PROXY Protocol v2, Cloudflare will prepend each inbound TCP connection with the PROXY Protocol binary header.
When UDP applications are configured to use PROXY Protocol v2, Cloudflare will prepend the first UDP datagram on a stream with a PROXY Protocol binary header.
PROXY Protocol prepends every connection with a header reporting the client IP address and port.
A PROXY Protocol binary header for a IPv4 incoming address has the format:
A PROXY Protocol binary header for a IPv6 incoming address has the format:
When using Spectrum for UDP, the client source IP and port information can be obtained by using Simple Proxy Protocol, a lightweight protocol developed specifically for UDP.
To enable it, select Configure on a Spectrum application and toggle the setting for Simple Proxy Protocol to On.
Simple Proxy Protocol dictates that your origin must also prepend packets meant for the client with the same header, including original client source information. This is done to validate that packets coming in are in fact intended for the client.
For more information about Simple Proxy Protocol headers, refer to Simple Proxy Protocol headers.