Is it possible to enable proxy_protocol only for one host on NGINX?

sunknudsen asked:

Say I have two hosts, and and only wish to enable proxy_protocol on which is behind a load balancer ( is used for direct healthchecks). Tried the following setup but getting an error.

server {
    listen 80 proxy_protocol;
    listen 443 proxy_protocol ssl;


    location / {
        proxy_pass http://localhost:8443;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;
        proxy_cache_bypass $http_upgrade;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

server {
    listen 80;


    location /healthcheck {
        proxy_pass http://localhost:8443;
        access_log off;


2019/08/06 17:40:50 [error] 10488#10488: *12 broken header: "GET /healthcheck HTTP/1.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

" while reading PROXY protocol, client:, server:

My answer:

If proxy_protocol is enabled for a listener on a given port, it applies to all server blocks that listen on that same port, whether they were specified or not. There is no way to override this for any particular server block. You will need to ensure that all traffic to that port either uses the PROXY protocol, or does not use it.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.