Proxy protocol in ejabberd

This article describes how to configure HAProxy and ejabberd together. If you are using a proxy in front of ejabberd, the support for proxy protocol is a new feature allowing the XMPP server to know the real IP addresses of the connecting client instead of seeing just the IP used by the proxy server.

The proxy protocol was invented by HAProxy, but is now supported by many projects like Apache, nginx, varnish, AWS ELB. You can check the specification of that protocol here.

By using this feature, ejabberd will show the real IP addresses in logs and you will be able to use access control rules that rely on these IP addresses.

We assume you already have HAProxy and ejabberd installed. To enable proxy protocol, start with editing HAProxy configuration. We need to add send-proxy-v2 in backend section:

frontend c2s
        mode tcp
        bind *:5222
        default_backend c2s_backend

backend c2s_backend
        mode tcp
        server l send-proxy-v2 # <- This is place where we need to add that flag

Next, in ejabberd configuration, we need to add use_proxy_protocol: true option in corresponding listen section:

    port: 5225
    module: ejabberd_c2s
    use_proxy_protocol: true # <- Important part

It’s important to note the ejabberd listener that has this option enabled will reject all connections that don’t have proxy protocol data sent before the real traffic. Don’t enable this option unless you are using a proxy that is generating it!

Let us know what you think 💬

2 thoughts on “Proxy protocol in ejabberd

    • This module doesn’t have have listener, but i am guessing you are interested about using ejabberd builtin stun/turn support? Unfortunately currently this is not supported, we probably could add support in turn for that, but i don’t think we can do that for stun that is using udp protocol – i don’t think that proxy protocol can work on udp connection.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.