Say I have two hosts, a.example.com and b.example.com and only wish to enable proxy_protocol on a.example.com which is behind a load balancer (b.example.com is used for direct healthchecks). Tried the following setup but getting an error.
a.example.com
server {
listen 80 proxy_protocol;
listen 443 proxy_protocol ssl;
server_name a.example.com;
location / {
proxy_pass http://localhost:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_cache_bypass $http_upgrade;
}
ssl_certificate /etc/letsencrypt/live/a.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/a.example.com/privkey.pem;
}
b.example.com
server {
listen 80;
server_name b.example.com;
location /healthcheck {
proxy_pass http://localhost:8443;
access_log off;
}
}
Error
2019/08/06 17:40:50 [error] 10488#10488: *12 broken header: "GET /healthcheck HTTP/1.1
Host: b.example.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
" while reading PROXY protocol, client: 1.2.3.4, server: 0.0.0.0:80
If
proxy_protocolis enabled for a listener on a given port, it applies to allserverblocks thatlistenon that same port, whether they were specified or not. There is no way to override this for any particularserverblock. You will need to ensure that all traffic to that port either uses the PROXY protocol, or does not use it.