Core: reject PROXY protocol v1 for UDP connections.

PROXY protocol version 1 is undefined for UDP. If proxy_protocol_version is left at the default (1) on a UDP stream server, emit an error and fail the connection rather than writing a meaningless v1 header. Users must set proxy_protocol_version 2.
2026-05-13 09:36:42 +00:00 · 2026-04-20 14:01:14 -07:00 · 2026-04-20 14:01:14 -07:00 · 4599b51b57
commit 4599b51b57
parent a3799b0bfa
1 changed files with 7 additions and 0 deletions
--- a/src/core/ngx_proxy_protocol.c
+++ b/src/core/ngx_proxy_protocol.c
@ -772,6 +772,13 @@ ngx_proxy_protocol_write_conf(ngx_connection_t *c,
    ngx_array_t  *tlvs;

    if (conf->version != 2) {
+        if (c->type == SOCK_DGRAM) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "PROXY protocol version 1 is not supported "
+                          "for UDP, use \"proxy_protocol_version 2\"");
+            return NULL;
+        }
+
        buf = ngx_pnalloc(c->pool, NGX_PROXY_PROTOCOL_V1_MAX_HEADER);
        if (buf == NULL) {
            return NULL;