Teleport
Run Teleport with the PROXY Protocol
- Version 17.x
- Version 16.x
- Version 15.x
- Version 14.x
- Older Versions
This guide shows you how to configure the Teleport Auth Service and Proxy Service to run behind a layer 4 (l4) load balancer.
In this setup, the Auth Service and Proxy Service rely on the PROXY protocol to retrieve the IP addresses of clients when behind an L4 load balancer. Having reliable client IP information is important from a security standpoint, because features like audit logging and IP pinning depend on it. If the PROXY protocol is not configured correctly, these features will be compromised.
Users of Teleport Enterprise (Cloud) do not need to manage PROXY protocol setting. Teleport-managed Auth Service and Proxy Service deployments run behind an L4 load balancer with the PROXY protocol configured.
How it works
The PROXY protocol adds a prefix to a TCP connection containing information about the client IP. It is most commonly used when a network includes an L4 load balancer between the user and the endpoint service, like the Teleport Auth Service and Proxy Service.
L4 load balancers, by design, do not retain the original client's IP address and port when forwarding the connection and the PROXY protocol allows systems to overcome this problem by adding the client's original IP address and port before the TCP stream.
Here is an example of the PROXYv1 protocol header:
PROXY TCP4 127.0.0.1 127.0.0.2 12345 42\r\n
Prerequisites
-
A self-hosted Teleport Enterprise account. If you want to get started with self-hosted Teleport Enterprise, contact Sales. You can also set up a demo environment with Teleport Community Edition.
We recommend reading and understanding this guide completely before configuring your Teleport cluster to use the PROXY protocol.
-
The
tctl
admin tool andtsh
client tool version >= 16.3.0.Visit Installation for instructions on downloading
tctl
andtsh
.
Step 1/2. Plan your Teleport deployment
Misconfiguration of the PROXY protocol behavior can lead to security problems. Since the PROXY protocol lacks built-in authentication, a malicious attacker could send falsified custom PROXY protocol headers to spoof their IP address. To prevent this, you must explicitly configure PROXY protocol settings according to your network setup:
-
Determine which Auth Service and Proxy Service instances should enable the PROXY protocol. PROXY protocol behavior is controlled separately for the Auth Service and Proxy Service.
If there's a PROXY-enabled L4 load balancer between your Proxy Service and Auth Service instances, you should enable the PROXY protocol on the Auth Service. Otherwise, you can disable it.
Teleport Proxy Service instances can also have different PROXY protocol settings. If you run a subset of Proxy Service instances behind an L4 load balancer, you can enable the PROXY protocol for only those instances.
-
Make sure that any Auth Service or Proxy Service instances that you run with PROXY protocol support are only accessible through an L4 load balancer. This prevents attackers from spoofing their IP addresses and bypassing IP pinning restrictions by connecting directly and sending a custom PROXY header. Teleport only allows one PROXY protocol header for an incoming connection - it will reject requests that include multiple PROXY lines to prevent attacks.
-
If you don't run Teleport behind an L4 load balancer that sends PROXY headers, you must disable PROXY protocol support on the Auth Service and Proxy Service. Running Teleport behind an L4 load balancer that doesn't send PROXY protocol headers will lead to all incoming connections seemingly coming from the same IP address from Teleport's point of view, compromising the Teleport audit log and IP pinning feature.
Step 2/2. Edit your static Teleport configuration
On a Teleport process, the Auth Service and Proxy Service can each support the
PROXY protocol for its own communications with clients. To enable or disable the
PROXY protocol, each service reads the proxy_protocol
field in its section of
the Teleport configuration file:
proxy_service:
proxy_protocol: on | off
# ...
auth_service:
proxy_protocol: on | off
By default, proxy_protocol
is unspecified. Users can manually set
proxy_protocol
to on
or off
:
on
: the PROXY protocol is enabled and mandatory. If a PROXY protocol header is received, the Teleport service will parse the header and extract the client's IP address and port. If the header isn't present, the Teleport service will reject the connection with an error.off
: the PROXY protocol is disabled and forbidden. Any connection with a PROXY protocol header is automatically rejected.
We encourage users to explicitly set their proxy_protocol
setting to on
or
off
mode depending on the network setup.
If proxy_protocol
is unspecified, the associated Teleport service does not
require the PROXY header for the connection, but will parse it if present, and
replace the client's source IP address with the one from the PROXY header. This
address will appear in audit events. Incoming connections with the PROXY header
will also be marked by setting source port to 0
, and this will be visible in
audit events as well.
IP pinning will not work if proxy_protocol
setting wasn't explicitly set in
the config. Connections that are marked with 0
as the source port will be
rejected during IP pinning checks.
The default unspecified value mode is not suitable for production. It is only suitable for test environments.