mosquitto icon indicating copy to clipboard operation
mosquitto copied to clipboard
verified publisher icon eclipse

Feature request: Add support for PROXY protocol

Open giftkugel opened this issue 5 months ago • 8 comments

Context

I am running Mosquitto as MQTT broker and MQTT bridge in different configurations, fine so far.

But in my setup always applies: Mosquitto is running behind a reverse proxy (TCP). So TLS is terminated by the reverse proxy. Also fine so far.

My current issue is, that Mosquitto is not aware of the remote client IP used for connection. It only sees the internal IP address of reverse proxy.

New client connected from 10.89.0.115:44894 as mqtt-analyzer-sEjLRIlb (p2, c1, k60, u'hello').

So also for failed authorization it shows

New connection from 10.89.0.115:36824 on port 1883.
Client mqtt-explorer-0ac14b5f disconnected, not authorised.

Which makes it hard for tools like fail2ban to be used to automatically block the remote client IP in my firewall.

Feature request

Other applications tend to implement the PROXY protocol defined by HAProxy (see https://www.haproxy.org/download/3.3/doc/proxy-protocol.txt) to provide the real remote client IP to the application.

I would ❤️ to see such a feature in Mosquitto.

Mosquitto 2.1

I found this 5 years old issue, and an answer which is 1 year old. My question would be, when the version containing the feature will be released?

https://github.com/eclipse-mosquitto/mosquitto/issues/1482

giftkugel avatar Jul 17 '25 13:07 giftkugel

@giftkugel 2.1 will be released in a month or so. There will be support for both PROXY v1 and v2.

ralight avatar Jul 30 '25 15:07 ralight

@giftkugel 2.1 will be released in a month or so. There will be support for both PROXY v1 and v2.

Looking forward to use the 2.1 version. 🤞🏻

giftkugel avatar Jul 30 '25 15:07 giftkugel

I'm really looking forward to this feature!

In addition to supporting IP addresses, will it also implement PROXY-Protocol+SSL-TLV parsing so we can do something similar to VerneMQ's proxy_protocol_use_cn_as_username?

pieterhollander avatar Aug 01 '25 15:08 pieterhollander

@pieterhollander Yes, the already existing use_identity_as_username option will work in PROXY v2.

ralight avatar Aug 01 '25 17:08 ralight

Hi Roger, thanks for confirming this, that's awesome to hear! I cannot find it on Docker Hub, but is there any Docker container repository available with the latest develop branch? If so, I'd be very interested in already trying this out.

pieterhollander avatar Aug 04 '25 08:08 pieterhollander

Any update on the release date of version 2.1? 🤔

giftkugel avatar Sep 03 '25 20:09 giftkugel

@giftkugel The release is under review by the Eclipse Foundation, so "soon". A few weeks most likely.

ralight avatar Sep 26 '25 14:09 ralight

🔍 🧐

giftkugel avatar Nov 20 '25 18:11 giftkugel