nic-6443 commented on code in PR #13561:
URL: https://github.com/apache/apisix/pull/13561#discussion_r3418100028


##########
docs/en/latest/stream-proxy.md:
##########
@@ -241,3 +241,39 @@ curl http://127.0.0.1:9180/apisix/admin/stream_routes/1 -H 
"X-API-KEY: $admin_ke
 By setting the `scheme` to `tls`, APISIX will do TLS handshake with the 
upstream.
 
 When the client is also speaking TLS over TCP, the SNI from the client will 
pass through to the upstream. Otherwise, a dummy SNI `apisix_backend` will be 
used.
+
+## PROXY protocol
+
+APISIX can accept the [PROXY 
protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) on TCP 
stream ports and forward it to the upstream.
+
+The `apisix.proxy_protocol` options set the default for **all** TCP stream 
ports:
+
+```yaml
+apisix:
+  proxy_protocol:
+    enable_tcp_pp: true              # accept the PROXY protocol from the 
client
+    enable_tcp_pp_to_upstream: true  # send the PROXY protocol to the upstream
+  proxy_mode: http&stream
+  stream_proxy:
+    tcp:
+      - 9100
+      - 9101
+```
+
+To control the PROXY protocol per port, set `proxy_protocol` and/or 
`proxy_protocol_to_upstream` on a `stream_proxy.tcp` entry. The per-port value 
overrides the global default for that port:
+
+```yaml
+apisix:
+  proxy_protocol:
+    enable_tcp_pp: true              # default for ports that don't set 
`proxy_protocol`
+  proxy_mode: http&stream
+  stream_proxy:
+    tcp:
+      - addr: 9100                          # accepts the PROXY protocol 
(inherits the global default)
+      - addr: 9101
+        proxy_protocol: false               # opt this port out of accepting 
the PROXY protocol
+      - addr: 9102
+        proxy_protocol_to_upstream: true    # also send the PROXY protocol to 
the upstream
+```
+
+The accept side (`proxy_protocol`) is a per-listen directive, so ports with 
different settings can share one listener. The upstream side 
(`proxy_protocol_to_upstream`) is a server-level directive, so APISIX renders 
ports that send the PROXY protocol upstream into a separate `server` block.

Review Comment:
   Good catch — added a sentence to both the English and Chinese docs noting 
that UDP listens never send the PROXY protocol upstream and always stay in the 
plain `server` block. Done in f0c4e71.



##########
docs/zh/latest/stream-proxy.md:
##########
@@ -232,3 +232,39 @@ curl http://127.0.0.1:9180/apisix/admin/stream_routes/1 -H 
"X-API-KEY: $admin_ke
 通过设置 `scheme` 为 `tls`,APISIX 将与上游进行 TLS 握手。
 
 当客户端也使用基于 TCP 的 TLS 上游时,客户端发送的 SNI 将传递给上游。否则,将使用一个假的 SNI `apisix_backend`。
+
+## PROXY 协议
+
+APISIX 可以在 TCP stream 端口上接收 [PROXY 
协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt),并将其转发给上游。
+
+`apisix.proxy_protocol` 选项为**所有** TCP stream 端口设置默认值:
+
+```yaml
+apisix:
+  proxy_protocol:
+    enable_tcp_pp: true              # 接收来自客户端的 PROXY 协议
+    enable_tcp_pp_to_upstream: true  # 向上游发送 PROXY 协议
+  proxy_mode: http&stream
+  stream_proxy:
+    tcp:
+      - 9100
+      - 9101
+```
+
+如需按端口控制 PROXY 协议,可在 `stream_proxy.tcp` 条目上设置 `proxy_protocol` 和/或 
`proxy_protocol_to_upstream`。端口级别的设置会覆盖该端口的全局默认值:
+
+```yaml
+apisix:
+  proxy_protocol:
+    enable_tcp_pp: true              # 未设置 `proxy_protocol` 的端口的默认值
+  proxy_mode: http&stream
+  stream_proxy:
+    tcp:
+      - addr: 9100                          # 接收 PROXY 协议(继承全局默认值)
+      - addr: 9101
+        proxy_protocol: false               # 该端口不接收 PROXY 协议
+      - addr: 9102
+        proxy_protocol_to_upstream: true    # 该端口同时向上游发送 PROXY 协议
+```
+
+接收侧(`proxy_protocol`)是 listen 
级别的指令,因此设置不同的端口可以共用一个监听块。上游侧(`proxy_protocol_to_upstream`)是 server 级别的指令,因此 
APISIX 会把向上游发送 PROXY 协议的端口渲染到单独的 `server` 块中。

Review Comment:
   Good catch — added a sentence to both the English and Chinese docs noting 
that UDP listens never send the PROXY protocol upstream and always stay in the 
plain `server` block. Done in f0c4e71.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to