TCP Proxy and Original Source IP


I am using Traefik as a TCP Proxy for my Plex container, using the config at the bottom.
This works fine for all internal and external user, however in Plex it shows the Traefik container IP as the user IP.
With the HTTP proxy the original user IP is passed (I believe in a X-Forwarded-For header or something along those lines)
However for the TCP proxy there is no such option.
Is there any way to show the original source IP instead of the traefik IP?

The relevant part of my stack for reference:

    hostname: plex
    container_name: plex
      - ${VOL_CONF}/plex:/config
      - ${VOL_MEDIA}:/media
      - traefik-net
      - PUID=${ENV_PUID}
      - PGID=${ENV_PGID}
      - TZ=${ENV_TZ}
      - PLEX_UID=${ENV_PUID}
      - PLEX_GID=${ENV_PGID}
      - VERSION=docker
      replicas: 1
        condition: on-failure
        traefik.enable: "true" "32400" "true"
        traefik.http.routers.plex-int.entryPoints: "http"
        traefik.http.routers.plex-int.rule: "Host(`plex.${DOMAIN_INT}`)"
        traefik.http.routers.plex-int.service: "plex"

        traefik.http.routers.plex-ext-https.entryPoints: "https"
        traefik.http.routers.plex-ext-https.tls: "true"
        traefik.http.routers.plex-ext-https.rule: "Host(`plex.${DOMAIN_EXT}`)"
        traefik.http.routers.plex-ext-https.service: "plex" "32400"
        traefik.tcp.routers.tcp-plex-32400.entryPoints: "tcp-plex-32400"
        traefik.tcp.routers.tcp-plex-32400.rule: "HostSNI(`*`)"
        traefik.tcp.routers.tcp-plex-32400.service: "tcp-plex-32400"

Hi @Gibletron,
Thanks for your interest in Traefik.

As you might know, HTTP headers are not available at TCP level. To get rid of this limitation, HAProxy created a protocol called Proxy Protocol.
This protocol encapsulates the TCP connection with some basic headers to have more context in case of proxy connections.

You can enable this protocol in the configurations of your services. You can find more information here: Traefik Services Documentation - Traefik .

1 Like

Additionally in Swarm mode you may need to publish your ports in host mode otherwise you could still end up with an overlay/docker ip address.

1 Like

Thank you very much for your responses, I did not know about this Proxy Protocol, will try later today and report back!

I'm having a tough time figuring out how this is supposed to work, and the (traefik) documentation is somewhat limited on this.
Would it be possible for you to give me an example on how to enable Proxy Protocol?
Should I enable it only on the service level, as such: "2"

Should I also enable it on the tcp-plex-32400 entrypoint as such:

    Address = ":32400"
      insecure = true

Should I be able to see that ProxyProtocl is enabled in the Traefik dashboard?
When I do both of the above Plex is no longer accesible externally, as such I think I'm missing something vital.

Hi @Gibletron,

These 2 configurations solve different use cases.

  • When enabling Proxy Protocol on an Entrypoint, it allows Traefik to understand an incoming Proxy Protocol wrapped request. With this, you can for example restrict the access to some user IPs.
  • When enabling Proxy Protocol on a service, you ask Traefik to add Proxy Protocol headers to forwarded request. It means that the IP/port from the incoming request will be added in the outgoing request.

In your scenario, you need the second option, enabling proxy protocol on a service. Your first snippet seems good to me. Once this step is done, you only did half of the job, as your Plex server doesn't know yet how to understand this protocol. It can result in a badly formatted packet, depending on the expected protocol. To make it work, you should use a third party library or implementing yourself the proxy protocol unwrapping. This one is an example, but feel free to use another depending on your preferences, GitHub - inkel/viaproxy: Proxy Protocol support for Go net.Conn.

Ahhh clear! thank you very much
Seems for now that this isn't feasible for me, I will send in a feature request for plex to support ProxyProtocol

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.