IPv6 and PROXY protocol not working

[meiser79]

I have a dual-stack server running sslh 2.3.0 with PROXY protocol support.

My sslh.conf looks like this:

inetd: false;
numeric: true;
timeout: 2;
user: "nobody";
pidfile: "/var/run/sslh.pid";
listen:
(
{ host: "::"; port: "443"; },
{ host: "0.0.0.0"; port: "443"; }
);
protocols:
(
{ name: "ssh"; service: "ssh"; host: "192.168.1.1"; port: "22"; },
{ name: "tls"; host: "192.168.1.2"; port: "443"; sni_hostnames: [ "example.com" ]; proxyprotocol: 2; log_level: 1; }
);
on-timeout: "ssh";

On 192.168.1.2, there's an apache2 v2.4.66 running on Alpine Linux 3.22.2.

This configuration works with IPv4, but with IPv6, there's an issue.
When I run curl -6 https://example.com on my VPS (not in the same network) and I see:

* Host example.com:443 was resolved.
* IPv6: 2a01:xxxx
* IPv4: (none)
*   Trying [2a01:xxx]:443...
* Connected to example.com (2a01:xxx) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 
* Closing connection
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to example.com:443 

The sslh log does not show the typical
Tue Dec 23 12:17:56 2025 auth.info sslh[4520]: tls:connection from 2a01:xxx:47108 to 2a01:xxx:443 forwarded from 192.168.1.1:50054 to 192.168.1.2:443
and there're no packets received on apache2 side on port 443.

There's only a connect: Bad file descriptor on the console while running in foreground.

Could you please have a look? Thanks a lot in advance!

[meiser79]

OK, I now might understand that it's because of this code:

sslh/common.c

Lines 425 to 428 in 86188cd

	/* When transparent or using proxyprotocol, make sure both
	* connections use the same address family (e.g. IP4 on both sides) */
	if ((transparent || cnx->proto->proxyprotocol_is_present) && (a->ai_family != from.ai_addr->sa_family))
	continue;

And even if I configure e.g. "server" as host, I always resolves to the IPv6 address.
{ name: "tls"; host: "server"; port: "443"; sni_hostnames: [ "example.com" ]; proxyprotocol: 2; log_level: 1; }
It would be helpful if the host name is then resolved to either IPv4 or IPv6 depending on the incoming IP protocol.

Is there any possibility to change this behaviour?

[yrutschle]

I am not sure why it requires client-side and server-side connections being the same family when using proxyprotocol (it's mandatory for transparent, as of course it is the IP layer transporting the client-side IP address... so I guess the logic might have carried over to proxyptotocol)... but I see no reason you couldn't have a incoming IPv6, sslh relays over IPv4 with PP header indicating IPv6 data.

Can you try simply removing the proxyprotocol test, i.e.g:

    if ((transparent) && (a->ai_family != from.ai_addr->sa_family)) 
             continue; 

and check it works fine, in particular in the target server (which will receive IPv6 addresses in the PP header, over an IPv4 connection)?

[meiser79]

https://www.haproxy.org/download/2.7/doc/proxy-protocol.txt

4.2. IPv4 and IPv6 integration

The protocol also eases IPv4 and IPv6 integration : if only the first layer
(FW1 and PX1) is IPv6-capable, it is still possible to present the original
client's IPv6 address to the target server even though the whole chain is only
connected via IPv4.

But ChatGPT says that this is only valid for v2, not v1.

The packets are now forwarded, but the SSL handshake fails.

curl shows:

* Host example.com:443 was resolved.
* IPv6: 2a01:xxx
* IPv4: (none)
*   Trying [2a01:xxx:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
*   CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS alert, decode error (562):
* TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
* closing connection #0
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading

And apache's log shows:

[Tue Dec 23 20:35:17.559782 2025] [remoteip:debug] [pid 28584:tid 28584] mod_remoteip.c(922): [client 192.168.1.1:40054] AH03503: RemoteIPProxyProtocol: enabled on connection to 192.168.1.2:443
[Tue Dec 23 20:35:17.559867 2025] [ssl:debug] [pid 28584:tid 28584] ssl_engine_io.c(1476): (103)Connection aborted: [client 192.168.1.1:40054] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Dec 23 20:35:17.559875 2025] [ssl:info] [pid 28584:tid 28584] [client 192.168.1.1:40054] AH01998: Connection closed to child 2 with abortive shutdown (server example.com:443)

sslh log shows:
Tue Dec 23 20:54:25 2025 auth.err sslh[8277]: sslh-fork.c:232:accept:4:Interrupted system call

[yrutschle]

Ok, that makes sense... I'll remove the test (in a few days). I think the spec trumps what ChatGPT says, I see no technical reason v1 couldn't bridge IPv4 and IPv6, and the paragraph you referenced says nothing about that.

The sequence of logs you posted is a bit strange: sslh's accept() would be on the client side, and there will be no server-side connection to Apache until that accept() succeeded, and on top of that the sslh log is timestamped 20 minutes later, so I don't think there is a link :-)

Can you add some verboseness (probably at least verbose-connections and verbose-fd) to sslh to see it says is happening between curl and Apache?

[meiser79]

The timestamps are fine because I collected the traces step-by-step, but it was always the same test case.

Here's the log when executing curl -v -6 https://example.com:

ed Dec 24 12:33:30 2025 auth.debug sslh[6925]: accepted fd 5 (3 concurrent connections)
Wed Dec 24 12:33:30 2025 auth.debug sslh[6925]: writing deferred on fd -1
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: probing for ssh
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: probed for openvpn: PROBE_NEXT
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: probing for tls
Wed Dec 24 12:33:30 2025 auth.debug sslh[6925]: writing deferred on fd -1
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: probing for ssh
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: probed for openvpn: PROBE_NEXT
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: probing for tls
Wed Dec 24 12:33:30 2025 auth.err sslh[6925]: matching [example.com] with [example.com]
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: probed for tls: PROBE_MATCH
Wed Dec 24 12:33:30 2025 auth.debug sslh[6925]: trying to connect to 192.168.1.2:443 family 2 len 16
Wed Dec 24 12:33:30 2025 auth.err sslh[6925]: pp_create_hrd:-11:v2 PROXY protocol header: invalid IPv6 dst IP
Wed Dec 24 12:33:30 2025 auth.info sslh[6925]: tls:connection from 2a02:xxx:50684 to 2a01:xxx:443 forwarded from 192.168.1.1:48106 to 192.168.1.2:443
Wed Dec 24 12:33:30 2025 auth.debug sslh[6925]: flushing deferred data to fd 3
Wed Dec 24 12:33:30 2025 auth.debug sslh[6925]: client socket closed
Wed Dec 24 12:33:30 2025 auth.debug sslh[6925]: connection closed down
Wed Dec 24 12:33:30 2025 auth.err sslh[6925]: sslh-fork.c:232:accept:4:Interrupted system call
Wed Dec 24 12:33:30 2025 auth.debug sslh[6925]: child died, 2 concurrent connections remaining

So the issue is pp_create_hrd:-11:v2 PROXY protocol header: invalid IPv6 dst IP

[meiser79]

Same with v1:
Wed Dec 24 12:41:44 2025 auth.err sslh[7637]: pp_create_hrd:-25:v1 PROXY protocol header: invalid IPv6 dst IP

Could you please also fix the small typo in the error message? It's pp_create_hdr

[meiser79]

If I understand it correctly, it cannot be a mixed header.

If it's a mixed scenario, the IPv4 address should be converted into a v4-mapped IPv6 address. Below is my PoC patch.

The added debug output is then:
IPv6/IPv4: PROXY protocol header: src=2a01:xxx dst=::ffff:192.168.1.1 family=IPv6
IPv4/IPv4: PROXY protocol header: src=185.x.x.x dst=192.168.1.1 family=IPv4
IPv6/IPv6: PROXY protocol header: src=2a02:xxx dst=2a01:xxx family=IPv6

diff --git a/common.c b/common.c
index e27c50f..29cca62 100644
--- a/common.c
+++ b/common.c
@@ -422,9 +428,9 @@ static int connect_inet(struct connection *cnx, int fd_from, connect_blocking bl
                            cnx->proto->port);
     }
     for (a = cnx->proto->saddr; a; a = a->ai_next) {
-        /* When transparent or using proxyprotocol, make sure both 
-         * connections use the same address family (e.g. IP4 on both sides) */
-        if ((transparent || cnx->proto->proxyprotocol_is_present) && (a->ai_family != from.ai_addr->sa_family))
+        /* When transparent, make sure both connections use
+         * the same address family (e.g. IP4 on both sides) */
+        if (transparent && (a->ai_family != from.ai_addr->sa_family))
             continue;
         print_message(msg_connections_try, "trying to connect to %s family %d len %d\n",
                     sprintaddr(buf, sizeof(buf), a),
diff --git a/proxyprotocol.c b/proxyprotocol.c
index d163ae4..fcf285e 100644
--- a/proxyprotocol.c
+++ b/proxyprotocol.c
@@ -98,6 +98,9 @@ int pp_write_header(int pp_version, struct connection* cnx)
     uint16_t pp1_hdr_len;
     int32_t error;
 
+    int src_family = AF_UNSPEC;
+    int dst_family = AF_UNSPEC;
+
     struct sockaddr_storage ss;
     struct addrinfo addr;
     int res;
@@ -110,7 +113,7 @@ int pp_write_header(int pp_version, struct connection* cnx)
              &pp_info_in_v1.src_addr,
              &pp_info_in_v1.src_port);
     if (res == -1) return -1;
-    pp_info_in_v1.address_family = family_to_pp(addr.ai_addr->sa_family);
+    src_family = addr.ai_addr->sa_family;
 
     res = get_info(cnx->q[1].fd, SOCK,
              &addr,
@@ -118,11 +121,44 @@ int pp_write_header(int pp_version, struct connection* cnx)
              &pp_info_in_v1.dst_port
             );
     if (res == -1) return -1;
+    dst_family = addr.ai_addr->sa_family;
+
+    /*
+     * If src IPv6/dst IPv4 or src IPv4/dst IPv6,
+     * convert IPv4 to v4-mapped IPv6 (::ffff:a.b.c.d)
+     */
+    if (src_family == AF_INET6 && dst_family == AF_INET) {
+        char tmp[INET6_ADDRSTRLEN];
+
+        snprintf(tmp, sizeof(tmp), "::ffff:%s",
+            (char *)pp_info_in_v1.dst_addr);
+        strncpy((char *)pp_info_in_v1.dst_addr, tmp,
+            sizeof(pp_info_in_v1.dst_addr) - 1);
+        pp_info_in_v1.dst_addr[sizeof(pp_info_in_v1.dst_addr) - 1] = '\0';
+        dst_family = AF_INET6;
+    } else if (src_family == AF_INET && dst_family == AF_INET6) {
+        char tmp[INET6_ADDRSTRLEN];
+
+        snprintf(tmp, sizeof(tmp), "::ffff:%s",
+            (char *)pp_info_in_v1.src_addr);
+        strncpy((char *)pp_info_in_v1.src_addr, tmp,
+            sizeof(pp_info_in_v1.src_addr) - 1);
+        pp_info_in_v1.dst_addr[sizeof(pp_info_in_v1.dst_addr) - 1] = '\0';
+        src_family = AF_INET6;
+    }
+
+    pp_info_in_v1.address_family = family_to_pp(src_family);
+
+    print_message(msg_connections,
+        "PROXY protocol header: src=%s dst=%s family=%s\n",
+        pp_info_in_v1.src_addr,
+        pp_info_in_v1.dst_addr,
+        (pp_info_in_v1.address_family == ADDR_FAMILY_INET6 ? "IPv6" : "IPv4"));
 
     uint8_t *pp1_hdr = pp_create_hdr(pp_version, &pp_info_in_v1, &pp1_hdr_len, &error);
 
     if (!pp1_hdr) {
-        print_message(msg_system_error, "pp_create_hrd:%d:%s\n", error, pp_strerror(error));
+        print_message(msg_system_error, "pp_create_hdr:%d:%s\n", error, pp_strerror(error));
         return -1;
     }
     defer_write_before(&cnx->q[1], pp1_hdr, pp1_hdr_len);

[meiser79]

There're two issues:

1. the dst address is the outgoing IP address to the server, e.g. 192.168.1.1, instead of 192.168.1.2, because of using getsockname() in get_info(), changing it to getpeername() fixes it.
2. IPv4->IPv6 does not work as Apache does not accept v4-mapped as src address. EDIT: Found upstream bug report for this issue.
   Apache log shows:
   [Wed Dec 24 20:09:54.078620 2025] [remoteip:error] [pid 20365:tid 20365] [client 2a01:xxx:50446] AH03500: RemoteIPProxyProtocol: invalid client-address '::ffff:185.x.x.x' found in header 'PROXY TCP6 ::ffff:185.x.x.x 2a01:xxx 55432 443'

[meiser79]

This patch works with proxyprotocol v1 and v2, except the issue with Apache2 as described above.

diff --git a/common.c b/common.c
index e27c50f..29cca62 100644
--- a/common.c
+++ b/common.c
@@ -422,9 +428,9 @@ static int connect_inet(struct connection *cnx, int fd_from, connect_blocking bl
                            cnx->proto->port);
     }
     for (a = cnx->proto->saddr; a; a = a->ai_next) {
-        /* When transparent or using proxyprotocol, make sure both 
-         * connections use the same address family (e.g. IP4 on both sides) */
-        if ((transparent || cnx->proto->proxyprotocol_is_present) && (a->ai_family != from.ai_addr->sa_family))
+        /* When transparent, make sure both connections use
+         * the same address family (e.g. IP4 on both sides) */
+        if (transparent && (a->ai_family != from.ai_addr->sa_family))
             continue;
         print_message(msg_connections_try, "trying to connect to %s family %d len %d\n",
                     sprintaddr(buf, sizeof(buf), a),
diff --git a/proxyprotocol.c b/proxyprotocol.c
index d163ae4..a87b59c 100644
--- a/proxyprotocol.c
+++ b/proxyprotocol.c
@@ -74,6 +74,11 @@ static int get_info(int fd, sockpeer_t sockpeer, struct addrinfo* addr, libpp_ad
         CHECK_RES_RETURN(res, "getsockname", -1);
     }
 
+    if (addr->ai_addr->sa_family == AF_INET6) {
+        struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)addr->ai_addr;
+        sin6->sin6_scope_id = 0;
+    }
+
     res = getnameinfo(addr->ai_addr, addr->ai_addrlen,
                       (char*)host, sizeof(*host),
                       serv_str, sizeof(serv_str),
@@ -98,6 +103,9 @@ int pp_write_header(int pp_version, struct connection* cnx)
     uint16_t pp1_hdr_len;
     int32_t error;
 
+    int src_family = AF_UNSPEC;
+    int dst_family = AF_UNSPEC;
+
     struct sockaddr_storage ss;
     struct addrinfo addr;
     int res;
@@ -110,19 +118,55 @@ int pp_write_header(int pp_version, struct connection* cnx)
              &pp_info_in_v1.src_addr,
              &pp_info_in_v1.src_port);
     if (res == -1) return -1;
-    pp_info_in_v1.address_family = family_to_pp(addr.ai_addr->sa_family);
+    src_family = addr.ai_addr->sa_family;
 
-    res = get_info(cnx->q[1].fd, SOCK,
+    res = get_info(cnx->q[1].fd, PEER,
              &addr,
              &pp_info_in_v1.dst_addr,
              &pp_info_in_v1.dst_port
             );
     if (res == -1) return -1;
+    dst_family = addr.ai_addr->sa_family;
+
+    /*
+     * If src IPv6/dst IPv4 or src IPv4/dst IPv6,
+     * convert IPv4 to v4-mapped IPv6 (::ffff:a.b.c.d)
+     */
+    if (src_family == AF_INET6 && dst_family == AF_INET) {
+        char tmp[INET6_ADDRSTRLEN];
+
+        snprintf(tmp, sizeof(tmp), "::ffff:%s",
+            (char *)pp_info_in_v1.dst_addr);
+        strncpy((char *)pp_info_in_v1.dst_addr, tmp,
+            sizeof(pp_info_in_v1.dst_addr) - 1);
+        pp_info_in_v1.dst_addr[sizeof(pp_info_in_v1.dst_addr) - 1] = '\0';
+        dst_family = AF_INET6;
+    } else if (src_family == AF_INET && dst_family == AF_INET6) {
+        char tmp[INET6_ADDRSTRLEN];
+
+        snprintf(tmp, sizeof(tmp), "::ffff:%s",
+            (char *)pp_info_in_v1.src_addr);
+        strncpy((char *)pp_info_in_v1.src_addr, tmp,
+            sizeof(pp_info_in_v1.src_addr) - 1);
+        pp_info_in_v1.dst_addr[sizeof(pp_info_in_v1.dst_addr) - 1] = '\0';
+        src_family = AF_INET6;
+    }
+
+    if (src_family == AF_INET6 || dst_family == AF_INET6)
+        pp_info_in_v1.address_family = family_to_pp(AF_INET6);
+    else
+        pp_info_in_v1.address_family = family_to_pp(AF_INET);
+
+    print_message(msg_connections,
+        "PROXY protocol header: src=%s dst=%s family=%s\n",
+        pp_info_in_v1.src_addr,
+        pp_info_in_v1.dst_addr,
+        (pp_info_in_v1.address_family == ADDR_FAMILY_INET6 ? "IPv6" : "IPv4"));
 
     uint8_t *pp1_hdr = pp_create_hdr(pp_version, &pp_info_in_v1, &pp1_hdr_len, &error);
 
     if (!pp1_hdr) {
-        print_message(msg_system_error, "pp_create_hrd:%d:%s\n", error, pp_strerror(error));
+        print_message(msg_system_error, "pp_create_hdr:%d:%s\n", error, pp_strerror(error));
         return -1;
     }
     defer_write_before(&cnx->q[1], pp1_hdr, pp1_hdr_len);

[meiser79]

BTW, HAProxy also uses v4-mapped IP addresses in v1 and v2.

https://github.com/haproxy/haproxy/blob/6fb521d2f63b8e5854e5bfbb10a7520614219be2/src/connection.c#L2020