PROXY v2 support

[lleyton]

Closes #540

[venkatamutyala]

@jpillora any this could get merged into main and into the next release?

[Skaronator]

I really want to get this feature merged. I resolved the merge conflicts in my branch if that helps: https://github.com/Skaronator/chisel/commits/proxy-protocol/

I also made a custom release available:

• Release Files: https://github.com/Skaronator/chisel/releases/tag/v1.11.3-skn
• Container Image: ghcr.io/skaronator/chisel:1.11.3-skn

Currently running this in my homelab and works great with Envoy Gateway API as Reverse Proxy.

[venkatamutyala]

@lleyton can you merge in the changes from @Skaronator ?

[oschonrock]

this is great stuff. However, from the commits it looks like "P" is only available for the "R" reverse proxy?

In my case, I am using a normal forward proxy and want chisel to log the "real-ip" passed to it from the nginx in front of it:

nginx.conf

    location /.tunnel {                                                                                                                                                                                                                                       
        proxy_pass http://127.0.0.1:8081/;                                                                                                                                                                                                                    
        proxy_http_version 1.1;                                                                                                                                                                                                                               
                                                                                                                                                                                                                                                              
        proxy_set_header Host $host;                                                                                                                                                                                                                          
        proxy_set_header X-Real-IP $remote_addr;                                                                                                                                                                                                              
                                                                                                                                                                                                                                                              
        # Enable WebSocket proxying                                                                                                                                                                                                                           
        proxy_set_header Upgrade $http_upgrade;                                                                                                                                                                                                               
        proxy_set_header Connection "upgrade";                                                                                                                                                                                                                
    }       

possible?

[venkatamutyala]

this is great stuff. However, from the commits it looks like "P" is only available for the "R" reverse proxy?

In my case, I am using a normal forward proxy and want chisel to log the "real-ip" passed to it from the nginx in front of it:

nginx.conf

    location /.tunnel {                                                                                                                                                                                                                                       
        proxy_pass http://127.0.0.1:8081/;                                                                                                                                                                                                                    
        proxy_http_version 1.1;                                                                                                                                                                                                                               
                                                                                                                                                                                                                                                              
        proxy_set_header Host $host;                                                                                                                                                                                                                          
        proxy_set_header X-Real-IP $remote_addr;                                                                                                                                                                                                              
                                                                                                                                                                                                                                                              
        # Enable WebSocket proxying                                                                                                                                                                                                                           
        proxy_set_header Upgrade $http_upgrade;                                                                                                                                                                                                               
        proxy_set_header Connection "upgrade";                                                                                                                                                                                                                
    }       

possible?

Use Proxy Protocol on nginx. That's how we are getting the correct client iP.

[oschonrock]

Use Proxy Protocol on nginx. That's how we are getting the correct client iP.

Not quite sure what you mean.
Obviously I am getting http logging in the nginx log,

81.xxx.xxx.xxx - - [23/Sep/2025:17:23:12 +0000] "GET /.tunnel HTTP/1.1" 101 9884 "-" "Go-http-client/1.1"

but I am running the chisel server with -v:

chisel server --host 127.0.0.1 --port 8081 --auth tunnel:password -v

and due to the abovementioned line in nginx.conf:

        proxy_set_header X-Real-IP $remote_addr;   

I was hoping that chisel would pick up this information from the X-Real_IP header and print that in its output, perhaps additionally.
Currently it is only printing the physical address, which is the meaningless 127.0.0.1:

Sep 23 17:23:12 pu chisel[98067]: 2025/09/23 17:23:12 server: Fingerprint g+HYsRTLZ642sInY79eD6zlnxmG2MonnVPAJUVhFzHc=
Sep 23 17:23:12 pu chisel[98067]: 2025/09/23 17:23:12 server: User authentication enabled
Sep 23 17:23:12 pu chisel[98067]: 2025/09/23 17:23:12 server: Listening on http://127.0.0.1:8081
Sep 23 17:23:12 pu chisel[98067]: 2025/09/23 17:23:12 server: session#1: Handshaking with 127.0.0.1:51582...
Sep 23 17:23:12 pu chisel[98067]: 2025/09/23 17:23:12 server: session#1: Verifying configuration
Sep 23 17:23:12 pu chisel[98067]: 2025/09/23 17:23:12 server: session#1: tun: Created
Sep 23 17:23:12 pu chisel[98067]: 2025/09/23 17:23:12 server: session#1: tun: SSH connected
Sep 23 17:23:35 pu chisel[98067]: 2025/09/23 17:23:35 server: session#1: tun: conn#1: Open [1/1]

Does that make sense?

[venkatamutyala]

@oschonrock which chisel version are you using? With the one from @lleyton it lets you enable proxy protocol and if your nginx has proxy protocol enabled it'll get the IP. Not sure if this applies for FOSS nginx but something like this: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/#configure-nginx-to-accept-the-proxy-protocol

[oschonrock]

@venkatamutyala

I am currently using 1.11.3, not the @lleyton branch

But I looked at the commits on his branch and that seemed to allow "P" only in combination with "R".

How would I "enable proxy protocol" on the @lleyton branch for this "forward proxy" situation?
For my desired behaviour I need chisel to "read proxy headers and use them for logging" not produce them.

[venkatamutyala]

Sorry i missunderstood your original ask. I was thinking you wanted to have nginx log it out not chisel. I can't help you with this. Maybe @lleyton or @Skaronator can chime in here.

[lleyton]

@venkatamutyala

I am currently using 1.11.3, not the @lleyton branch

But I looked at the commits on his branch and that seemed to allow "P" only in combination with "R".

How would I "enable proxy protocol" on the @lleyton branch for this "forward proxy" situation? For my desired behaviour I need chisel to "read proxy headers and use them for logging" not produce them.

That isn't supported in my PR, I honestly never thought there was a usecase for that. I might be interested in working on that in a different PR.