From 4599b51b576ba9a1b94c57191fa30b67a0f930ca Mon Sep 17 00:00:00 2001
From: Vadim Zhestikov <v.zhestikov@f5.com>
Date: Mon, 20 Apr 2026 14:01:14 -0700
Subject: [PATCH] Core: reject PROXY protocol v1 for UDP connections.

PROXY protocol version 1 is undefined for UDP.  If
proxy_protocol_version is left at the default (1) on a UDP stream
server, emit an error and fail the connection rather than writing a
meaningless v1 header.  Users must set proxy_protocol_version 2.
---
 src/core/ngx_proxy_protocol.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c
index 05e25653b..de5b23e99 100644
--- a/src/core/ngx_proxy_protocol.c
+++ b/src/core/ngx_proxy_protocol.c
@@ -772,6 +772,13 @@ ngx_proxy_protocol_write_conf(ngx_connection_t *c,
     ngx_array_t  *tlvs;
 
     if (conf->version != 2) {
+        if (c->type == SOCK_DGRAM) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "PROXY protocol version 1 is not supported "
+                          "for UDP, use \"proxy_protocol_version 2\"");
+            return NULL;
+        }
+
         buf = ngx_pnalloc(c->pool, NGX_PROXY_PROTOCOL_V1_MAX_HEADER);
         if (buf == NULL) {
             return NULL;