First issue: you need NGINX >= 1.9.10, as there was a bug with using
proxy_protocol on IPv6 listeners. If you’re on Debian Jessie, you can get a suitable version from Jessie backports.
PROXY protocol version
Second issue: NGINX only speaks PROXY protocol v1 and our proxy was attempting to speak v2.
v1 is a human readable plain text protocol, whereas v2 is binary. If you see something like this in the error log:
2016/05/09 11:11:30 [error] 6058#6058: *1 broken header: " QUIT ! ]Y??.????PGET / HTTP/1.1
Then that’s a good sign that you’ve got a v2 reverse proxy talking to you.
We’ve now changed our proxy to only speak PROXY protocol v1 by default. We will look into making this a configurable option in the future. The Apache module seems happy speaking either version.
Whilst we’re here, here are some other failure modes you might see. This in the access log, is v2 PROXY protocol being spoken to NGINX which is not configured for PROXY protocol at all.
2a00:1098:0:82:1000:3b:1:1 - - [09/May/2016:11:08:55 +0100] "\x00" 400 172 "-" "-"
And this is v1 PROXY protocol being spoken to NGINX which is not configured for it:
2a00:1098:0:82:1000:3b:1:1 - - [09/May/2016:11:39:30 +0100] "PROXY TCP4 126.96.36.199 188.8.131.52 64221 80" 400 173 "-" "-"