Proxy protocol support

Registered by Laurynas Biveinis

Add proxy protocol support to the server. The proxy protocol allows an intermediate proxying server between the server and the ultimate client (i.e. HAProxy) to provide the source client address to the server, which normally would only see the proxying server address instead. The correct source client address then might be used in mysql.user for access control, provide more exact information for the error log, audit plugins etc.

As the proxy protocol amounts to spoofing the client address, it is disabled by default, and can be enabled on per-host or per-network basis for the trusted source addresses where trusted proxy servers are known to run.

The option is a global-only, read-only variable proxy-protocol-networks, which is either a '*' (to enable proxying globally), either a list of comma-separated IPv4 and IPv6 network and host addresses, for which proxying is enabled. Network addresses are specified in CIDR notation, i.e.

Only TCP/IPv4 and TCP/IPv6 are supported. UNIX socket (and strictly speaking Windows named pipe) connections can not be proxied and do not fall under the effect of proxy-protocol-networks='*'.

As a special exception, it is forbidden for the proxied IP address to be / ::1.

The protocol specification is at
The implementation is based on a patch developed by Thierry Fournier.

Blueprint information

Laurynas Biveinis
Laurynas Biveinis
Laurynas Biveinis
Series goal:
Accepted for 5.6
Milestone target:
milestone icon 5.6.25-73.0
Started by
Laurynas Biveinis
Completed by
Laurynas Biveinis

Related branches



Only a very small part of functionality is covered by MTR (option parsing and unproxied connection rejection on a proxied source address). I have considered adding support for writing proxy headers to libmysqlclient and then making use of this in mysqltest, but rejected this as libmysqlclient would be forced to carry this testing code, which has very limited use. Thus, this needs system level tests:

For both ipv4 and ipv6:
1) proxied connections are accepted on proxied source address;
2) proxied connections are not accepted on an unproxied source address;
3) unproxied connections are not accepted on an proxied source address;
4) mysql.user containing user@foo and user@bar with different permissions, where foo = proxy ip, bar = real source ip. Verify that server treats a connecting user as user@bar and not user@foo correctly.
5) verify that the server error log and audit log entries show the correct ip where appropriate.
6) the proxy host IP is not subject to max_connect_errors but the proxied IPs are.

For docs (dbusby): Documentation to reflect concerns in
   implementation aka ability to shoot self in foot

   we can note in the documentation concerns over the need to ensure
   proper firewall ACL's in place for the feature along with /32 being
   a single host etc.


Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.