This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+2 more
Affected surfaces
Summary
AI summaryOptional PROXY protocol v2 support added to sentinel and daemon.
Full changelog
PROXY protocol v2 — real client IP propagation
This release adds optional PROXY protocol v2 support across the sentinel and daemon so containers behind TLS-passthrough hops can finally see the real client IP via `X-Forwarded-For`. Off by default; opt in with `--proxy-protocol` on both sides.
What's in it
- #105 — Sentinel: `WriteProxyV2` encoder; `--proxy-protocol` flag; header injected in the SNI router before raw-TCP forwarding. Real-Caddy e2e gated by `proxyproto_real_caddy` build tag.
- #106 — Daemon srv0: `--proxy-protocol` and `--proxy-protocol-trusted` flags; `ProxyManager.EnableProxyProtocol` installs a `[proxy_protocol, tls]` listener_wrapper chain + trusted_proxies, atomically via `/load` so other server fields are preserved.
- #107 — Daemon caddy-l4: pattern B wrapping (`[proxy_protocol, subroute]` outer route) so SNI passthrough routes (e.g. gRPC) keep working under PROXY. Lifecycle is wrapping-aware — `RouteSyncJob`'s CRUD doesn't undo the wrapping.
- #108 — Architecture documentation at `docs/PROXY-PROTOCOL.md`.
Recommended rollout
- Deploy daemon first with `--proxy-protocol --proxy-protocol-trusted=`. Wrappers pass through non-PROXY traffic gracefully.
- Verify HTTPS keeps working.
- Restart sentinel with `--proxy-protocol`.
- Verify the destination container's access log now shows the real client IP in `X-Forwarded-For`.
See `docs/PROXY-PROTOCOL.md` for the trust model, deploy state matrix, and rollback path.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Containarium
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]