Built in proxy protocol doesn't work with AWS load balancer

[KorvinSzanto]

I'm trying to migrate away from pires/go-proxyproto to the newly embedded proxyprotocol in caddy but I'm having a hard time getting things working with proxy protocol enabled AWS load balancers. My config looks like this:

{
    debug
    servers {
        listener_wrappers {
            proxy_protocol {
                    timeout 2s
                    allow 192.168.86.1/24
            }
            tls
        }
    }
}

caddytest.mydomain.com:443 {
    reverse_proxy https://127.0.0.1:8443 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

And attempting to access caddy through the LB outputs:

2023/10/06 16:58:04.254 DEBUG   http.stdlib http: TLS handshake error from 192.168.86.42:5943: invalid length

and gives me ERR_CONNECTION_CLOSED in the browser. If I use my fork of rocketreferrals/caddy-go-proxyproto things work as expected.

[francislavoie]

You fork doesn't have allow. Does it work any better if you omit that from your config (i.e. is that actually the right CIDR to trust)?

I don't use AWS so I won't be able to debug this. We use https://github.com/mastercactapus/proxyprotocol. Apparently this is the same problem as https://github.com/mastercactapus/caddy2-proxyprotocol/issues/8. /cc @mastercactapus if you have any ideas.

[KorvinSzanto]

Does it work any better if you omit that from your config

Same behavior with the allow removed

That issue does sound like the same issue I'm facing

[francislavoie]

This has apparently been fixed by the tlv branch. You can build Caddy with the fix, see https://github.com/mastercactapus/proxyprotocol/issues/3#issuecomment-1755774950.