Hi,
the proxy protocol spec didn't specify UDP and therefore most
implementations treat it as a TCP connection and re-use the last send
information for a ip/port pair.
This change makes it more clear.
diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
index 18d7031d5..12b40c677 100644
--- a/doc/proxy-protocol.txt
+++ b/doc/proxy-protocol.txt
@@ -1,4 +1,4 @@
-2020/03/05 Willy
Tarreau
+2026/04/27 Willy
Tarreau
HAProxy
Technologies
The PROXY protocol
Versions 1 & 2
@@ -31,6 +31,7 @@ Revision history
2025/09/09 - added SSL-related TLVs for key exchange group and signature
scheme (Steven Collison)
2026/01/15 - added SSL client certificate TLV (Simon Ser)
+ 2026/04/27 - clarified UDP usage (Valaphee)
1. Background
@@ -168,6 +169,13 @@ the receiver. But due to the places where such a
protocol is used, the above
simplification generally is acceptable because the risk of crossing such a
device handling one byte at a time is close to zero.
+For UDP, the PROXY protocol header and the proxied UDP payload MUST be
sent in
+the same datagram. The sender MUST NOT split the PROXY protocol header
across
+multiple UDP datagrams, and the receiver MUST parse the header
independently
+for each received datagram. A UDP datagram without a complete and valid
PROXY
+protocol header MUST NOT be processed as proxied traffic unless explicitly
+permitted by local configuration.
+
The receiver MUST NOT start processing the connection before it receives a
complete and valid PROXY protocol header. This is particularly important
for
protocols where the receiver is expected to speak first (eg: SMTP, FTP or
SSH).
--
Have a nice day!
Valaphee
