Cannot pass through Http SSL, any issue for this configuration?

[sj7112]

Bug Description

External Nginx(EN) => FRP => Internal Nginx(IN)

At the beginning, I use the architecture as below, everything works fine, except for the real IP address.

EN: http > server > 443 ssl proxy_pass to https://127.0.0.1:6949
FRP: direct pass (type=TCP; External 6949 - Internal 443)
IN: http > server > 443 ssl proxy_pass to http://internalServer:80

---

In order to reuse the domain by multi ports, get real IP address and simplify the SSL path-through, change to the new architecture as below.
EN (stream) => FRP (Transparent pass) => IN (SSL termination)

---

External nginx [ stream ]

map $ssl_preread_server_name $backend {
    pass.mydomain.com 127.0.0.1:6949;
}

server {
    listen 6886; # pass1
    listen 6887; # pass2
    ssl_preread on;
    proxy_protocol on;
    proxy_pass $backend
}

---

frps / frpc: 0.61.1

[[proxies]]
name = "pass-md-ssl-110"
type = "tcp"
localIP = "127.0.0.1"
localPort = 443
remotePort = 6949
transport.proxyProtocolVersion = "v2"

---

Internal nginx [ http ]

server {
    listen 443 ssl proxy_protocol;
    http2 on;
    server_name  pass.mydomain.com;

    ssl_certificate /etc/letsencrypt/live/pass.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pass.mydomain.com/privkey.pem;

    set_real_ip_from 127.0.0.1;
    real_ip_header proxy_protocol;

    access_log  /var/log/nginx/pass.access.log  main;

    location / {
        proxy_pass http://vw:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

---

Major differences between method 1 and method 2:

1. External Nginx changes to stream, change the ports from 443 to 68xx
2. Install a new version of frps and frpc 0.61.1
   Add the statement: transport.proxyProtocolVersion = "v2"
3. External Nginx changes:
   listen 443 ssl; => listen 443 ssl proxy_protocol;
   change the Real IP paramater to $proxy_protocol_addr;
   other minor changes

---

issue: Only the proxy part is sent, no real contents show up!
anything may wrong with my configuration?

frpc Version

0.61.1

frps Version

0.61.1

System Architecture

debian12/ubuntu24

Configurations

See above

Logs

172.18.0.1 - - [06/Mar/2025:17:07:42 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9067 6888" 400 157 "-" "-" "-"
172.18.0.1 - - [06/Mar/2025:17:08:22 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9132 6888" 400 157 "-" "-" "-"
172.18.0.1 - - [06/Mar/2025:17:08:22 +0000] "PROXY TCP4 1xx.xx.xx.xxx 172.17.16.5 9131 6888" 400 157 "-" "-" "-"

Steps to reproduce

...

Affected area

• Docs
• Installation
• Performance and Scalability
• Security
• User Experience
• Test and Release
• Developer Infrastructure
• Client Plugin
• Server Plugin
• Extensions
• Others

[fatedier]

From gpt-4.5-preview

Your issue is caused by the Proxy Protocol header being added twice, causing the internal Nginx to misinterpret the incoming request and resulting in the 400 errors you've observed.

Root Cause:

• External Nginx (stream mode) is already adding the Proxy Protocol header.
• FRP with transport.proxyProtocolVersion = "v2" is adding another Proxy Protocol header layer, causing duplication.

Recommended Solution:

Remove the Proxy Protocol configuration from FRP to avoid double headers.
Update your FRP configuration as follows:

[[proxies]]
name = "pass-md-ssl-110"
type = "tcp"
localIP = "127.0.0.1"
localPort = 443
remotePort = 6949
# Remove or comment out this line:
# transport.proxyProtocolVersion = "v2"

This ensures only External Nginx handles the Proxy Protocol header, and internal Nginx receives exactly one header, resolving your problem.

[github-actions]

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.