ProxyProtocol (to the backend) incompatible with Consul Connect with Traefik > 3.5.1

[dani]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you do?

I have a nginx service exposed by Traefik. This service has to do TLS termination, but also needs to get the client's IP. For this, I configure Traefik to do tls passthrough, and contact the backend with the ProxyProtocolv2

simplified nginx config

  server {
    listen 127.0.0.1:8443 ssl proxy_protocol;
    server_name _;
    server_tokens off;
    ssl_certificate       "/secrets/cert.bundle.pem";
    ssl_certificate_key   "/secrets/cert.bundle.pem";
    real_ip_header proxy_protocol;
  }

Up to Traefik 3.5.1, everything was fine. All I had to do was enabling proxyprotocol at the loadbalancer level with these labels

traefik.tcp.routers.test.entrypoints=https
traefik.tcp.routers.test.tls.passthrough=true
traefik.tcp.services.test.loadbalancer.proxyprotocol.version=2

In Traefik 3.5.2 this was depcrecated, to use a custom serversTransport instead. 3.5.2 was broken (see bug #12055 ) but it was supposed to be fixed in 3.5.3. So, I create a new serverTransport like this (in Traefik config file)

tcp:    
  serversTransports:
    proxyproto-tcp:
      proxyProtocol:
        version: 2

And changed my labels accordingly

traefik.tcp.routers.test.entrypoints=https
traefik.tcp.routers.test.tls.passthrough=true
traefik.tcp.services.test.loadbalancer.serverstransport=proxyproto-tcp

I expect my nginx backend to receive the client's IP with the proxyprotocol, just as before

What did you see instead?

Instead, when trying to reach my service through Traefik, the connection is immediatly closed. Nginx logs the errors

2025-09-26 12:03:26.334 2025/09/26 14:03:26 [error] 20#20: *108 broken header: "����������m��E��8��y�@?8��t���}�is� �3m��ah|��+�fZ� ::�������+�/�,�0������/5���ZZ���my.service.com������h2�http/1.1D����h2" while reading PROXY protocol, client: 127.0.0.1, server: 127.0.0.1:8443
2025-09-26 12:03:26.369 2025/09/26 14:03:26 [error] 20#20: *109 broken header: "�����������ߧ1�K�[�[�+�n�C6�Zo#X�. p���QX�8H]��Kg�cA�" while reading PROXY protocol, client: 127.0.0.1, server: 127.0.0.1:8443

It looks like the ProxyProtocol header is still not sent in Traefik 3.5.3. I'm not sure what motivated this change, as everything was simple and working in 3.5.1 (and before). Now, it's harder to configure (you must declare a serversTransport in the config file). And it seems not to be working at all (or maybe I'm missing something but I followed the doc)

What version of Traefik are you using?

Version: 3.5.3
Codename: chabichou
Go version: go1.24.7
Built: 2025-09-26T09:20:06Z
OS/Arch: linux/amd64

What is your environment & configuration?

# (paste your configuration here)

Add more configuration information here.

If applicable, please paste the log output in DEBUG level

No response

[dani]

Some more info : I'm using all this using consulcatalog provider, and enabling the consulcatalog.connect. After enabling DEBUG log on Traefik, I can see that when using consulconnect, Traefik automatically creates a serversTransport per service, to configure the TLS part. And afaik, there's no way to customize or override this server transport

"tls-default-dc1-test":{"tls":{"insecureSkipVerify":true,"peerCertURI":"spiffe:///ns/default/dc/dc1/svc/test","serverName":"default-dc1-test"}}

"test":{"loadBalancer":{"servers":[{"address":"10.99.9.10:29826","tls":true}],"serversTransport":"tls-default-dc1-test"}}

So it seems ProxyProtocol cant be used at all anymore in this situation. This would really be problematic for me.

[rtribotte]

Hi @dani,

Thanks for reporting this, and sorry for the inconvenience.

The fix for #12055 only fixed the value transmitted into the proxy protocol header.

If we correctly understand your situation, the serverTransport created automatically for ConsulCatalog Connect isn't customizable and doesn't allow you to enable proxy protocol.

The option on the load balancer is only deprecated and still functional; does it work when using it?

[dani]

Nop, using the traefik.tcp.services.test.loadbalancer.proxyprotocol.version=2 label isn't working anymore with Traefik > 3.5.1

[dani]

After some more tests : I can get the new way to configure ProxyProtocol to work (using a custom serversTransport defined in my dynamic configuration file) only if I disable consul connect (with traefik.consulcatalog.connect=false label). When connect is enabled, the label traefik.tcp.services.test.loadbalancer.serverstransport is ignored, and a default serversTransport is used instead (and this default transport doesn't have proxyprotocol set of course). So this new way to configure ProxyProtocol at the serversTransport level only (instead of the loadbalancer as before) breaks consul connect integration.

[rtribotte]

@dani Thanks again for the report, we identified the bug. As you cannot configure the serversTransport created by the ConsulCatalog provider, and because the serversTransport configuration has the precedence over the load-balancer configuration, there is no way to enable proxy protocol (when using Consul Connect).

[rtribotte]

Thanks for the bug report, we were able to reproduce it. We would love community support to address it.

We think some extra conf should be made available at the Connect configuration level to allow configuring Proxy Protocol for the ServersTransport created by Traefik.

If you or another community member would like to build it, let us know, and we will work with you to make sure you have all the information needed so that it can be merged.

Don’t forget to check out the contributor docs and to link the PR to this issue.
If not, we will leave the issue open to any interested community member.