proxy.addr configures listeners.
Each listener is configured with and address and a list of optional arguments in the form of
Each listener has a protocol which is configured
proto option for which it routes and
The supported protocols are:
httpfor HTTP based protocols
httpsfor HTTPS based protocols
grpcfor GRPC based protocols
grpcsfor GRPC+TLS based protocols
tcpfor a raw TCP proxy with or witout TLS support
tcp+snifor an SNI aware TCP proxy
proto option is specified then the protocol
https depending on whether a
certificate source is configured via the
which contains the name of the certificate source.
The TCP+SNI proxy analyzes the
of TLS connections to extract the server name
extension and then forwards the encrypted traffic
to the destination without decrypting the traffic.
rt: Sets the read timeout as a duration value (e.g.
wt: Sets the write timeout as a duration value (e.g.
it: Sets the idle timeout as a duration value (e.g.
strictmatch: When set to
truethe certificate source must provide a certificate that matches the hostname for the connection to be established. Otherwise, the first certificate is used if no matching certificate was found. This matches the default behavior of the Go TLS server implementation.
pxyproto: When set to ‘true’ the listener will respect upstream v1 PROXY protocol headers. NOTE: PROXY protocol was on by default from 1.1.3 to 1.5.10. This changed to off when this option was introduced with the 1.5.11 release. For more information about the PROXY protocol, please see: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
pxytimeout: Sets PROXY protocol header read timeout as a duration (e.g. ‘250ms’). This defaults to 250ms if not set when ‘pxyproto’ is enabled.
tlsmin: Sets the minimum TLS version for the handshake. This value is one of
tls12or the corresponding version number from https://golang.org/pkg/crypto/tls/#pkg-constants
tlsmax: Sets the maximum TLS version for the handshake. See
tlsminfor the format.
tlsciphers: Sets the list of allowed ciphers for the handshake. The value is a quoted comma-separated list of the hex cipher values or the constant names from https://golang.org/pkg/crypto/tls/#pkg-constants, e.g.
# HTTP listener on port 9999 proxy.addr = :9999 # HTTP listener on IPv4 with read timeout proxy.addr = 22.214.171.124:9999;rt=3s # HTTP listener on IPv6 with write timeout proxy.addr = [2001:DB8::A/32]:9999;wt=5s # Multiple listeners proxy.addr = 126.96.36.199:9999;rt=3s,[2001:DB8::A/32]:9999;wt=5s # HTTPS listener on port 443 with certificate source proxy.addr = :443;cs=some-name # HTTPS listener on port 443 with certificate source and TLS options proxy.addr = :443;cs=some-name;tlsmin=tls10;tlsmax=tls11;tlsciphers="0xc00a,0xc02b" # GRPC listener on port 8888 proxy.addr = :8888;proto=grpc # GRPCS listener on port 8888 with certificate source proxy.addr = :8888;proto=grpcs;cs=some-name # TCP listener on port 1234 with port routing proxy.addr = :1234;proto=tcp # TCP listener on port 443 with SNI routing proxy.addr = :443;proto=tcp+sni
The default is
proxy.addr = :9999