Is it possible to enable proxy_protocol only for one host on NGINX?

sunknudsen asked:

Say I have two hosts, a.example.com and b.example.com and only wish to enable proxy_protocol on a.example.com which is behind a load balancer (b.example.com is used for direct healthchecks). Tried the following setup but getting an error.

a.example.com

server {
    listen 80 proxy_protocol;
    listen 443 proxy_protocol ssl;

    server_name a.example.com;

    location / {
        proxy_pass http://localhost:8443;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
        proxy_cache_bypass $http_upgrade;
    }

    ssl_certificate /etc/letsencrypt/live/a.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/a.example.com/privkey.pem;
}

b.example.com

server {
    listen 80;

    server_name b.example.com;

    location /healthcheck {
        proxy_pass http://localhost:8443;
        access_log off;
    }
}

Error

2019/08/06 17:40:50 [error] 10488#10488: *12 broken header: "GET /healthcheck HTTP/1.1
Host: b.example.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

" while reading PROXY protocol, client: 1.2.3.4, server: 0.0.0.0:80

My answer:


If proxy_protocol is enabled for a listener on a given port, it applies to all server blocks that listen on that same port, whether they were specified or not. There is no way to override this for any particular server block. You will need to ensure that all traffic to that port either uses the PROXY protocol, or does not use it.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.