#77 (comment)

第二个方案仅对支持 Proxy Protocol 的特定后端生效。

(When using shadow-tls as an SNI proxy, forwarding normal requests to nginx, there are several ways to pass the real IP to the nginx,) one of them is to connect to the backend with the Proxy protocol
But it introduces the problem that you can only connect to the backend implemented the Proxy protocol support, the choice would be limited.

There are projects like https://github.com/path-network/go-mmproxy meant to solve the problem. Speaking from experience, it works very well.

For me, apart from utilizing the IP_TRANSPARENT or the Proxy protocol, it seems there are no other ways to pass the real IP to the backend.

I would expect supporting Proxy protocol to be easier than utilizing the IP_TRANSPARENT, and it might also ease the requirements for users to enable passing the real IP to the backend.

Refer to:

• https://github.com/ihciah/shadow-tls/wiki/Security-Tips#sni-proxy-issue
• https://blog.cloudflare.com/mmproxy-creative-way-of-preserving-client-ips-in-spectrum/