Skip to main content
Did you ever want to get the real ip instead of newt’s IP or traefik’s IP for TCP/UDP applications? Then follow below, Just be warned this is not a begineer guide. This guide shows how to enable Proxy Protocol manually until a GUI option becomes available. ⚠️ It’s an advanced setup, so you’ll be editing configuration files and running cli commands. ⚠️ In Pangolin, make a TCP resource or UDP resource.
Note: Not all applications support Proxy Protocol. If you send Proxy Protocol headers to an application that isn’t configured for it or doesn’t support it, the connection will fail entirely.

Creating the Resource

In Pangolin, go into Resources and create a TCP or UDP route like you normally would — pointing it to your resource which accepts Proxy Protocol. Say I’m using tcp-8888 with Pangolin. I configure it to hit my Proxy Protocol–enabled service such as Minecraft Paper or Velocity. It’ll give you a port to put into the compose file and an entryPoint to add into the traefik_config.yml. Only do the second, not the first.

Add the EntryPoint

Add an entrypoint in traefik_config.yml for the port you intend to use. 
entryPoints:
  tcp-22000: 
    address: ":22000/tcp"
I’m going to use tcp-22000 for this, and in Traefik under Gerbil, I’m going to add the same mapping: 
  gerbil:
    image: fosrl/gerbil
    container_name: gerbil
    restart: unless-stopped
    ports:
     - 51820:51820/udp
     - 21820:21820/udp
     - 443:443/tcp
     - 80:80/tcp
     - 22000:22000/tcp

Find the Service Address

Run the following command: 
docker exec pangolin curl http://localhost:3001/api/v1/traefik-config | jq
Look for the entry that resembles: 
  "tcp": {
    "routers": {
      "43-router": {
        "entryPoints": [
          "tcp-8888"
        ],
        "service": "43-service",
        "rule": "HostSNI(`*`)"
Follow this down further until you reach the service line — 43-service in this example: 
    "services": {
      "43-service": {
        "loadBalancer": {
          "servers": [
            {
              "address": "100.89.128.4:58655"
            }
          ]
        }
      },
Make a note of the address there.

Update Dynamic Configuration

Go into config/traefik_dynamic.yml and add:

TCP Example

tcp:
  routers:
    minecraft-rtr:
      rule: "HostSNI(`*`)"
      entryPoints:
        - "tcp-22000"
      service: minecraft-svc
  services:
    minecraft-svc:
      loadBalancer:
        serversTransport: proxy-protocol-v1 # Can be named anything really as long as it matches the defined transport.
        servers:
          - address: "100.89.128.4:58655"
  serversTransports:
    proxy-protocol-v1:
      proxyProtocol:
        version: 1 # Velocity can handle v2 also but in in doubt use version over version 2.

UDP Example

udp:
  routers:
    servicename-rtr:
      entryPoints:
        - "udp-22000"
      service: servicename-svc
  services:
    servicename-svc:
      loadBalancer:
        serversTransport: proxyprotocol-udp
        servers:
          - address: "100.89.128.4:58655"
  serversTransports:
    proxyprotocol-udp:
      proxyProtocol:
        version: 1
Also do note.. If you change the dummy (8888) info at all for the destination or the port or the site.. you will need to repopulate the info all over again. Starting from the JQ line above.

Downstream Applications

For downstream applications, you’ll need to configure them to trust Proxy Protocol connections originating from the system where Newt connects to the service. For example: If the Newt is running on Host B at 192.168.1.5, your service on Host A at 192.168.1.4 needs to trust 192.168.1.5 as a trusted Proxy Protocol source. Once Proxy Protocol is in play, the connection between Traefik and the backend must speak Proxy Protocol — otherwise it will refuse to connect.
I