v.21.1New Features

Add PROXYv1 Protocol Support for IP Address Quotas in ClickHouse

Official CH changelog text
Add support for PROXYv1 protocol to wrap native TCP interface. Allow quotas to be keyed by proxy-forwarded IP address (applied for PROXYv1 address and for X-Forwarded-For from HTTP interface). This is useful when you provide access to ClickHouse only via trusted proxy (e.g. CloudFlare) but want to account user resources by their original IP addresses. This fixes #17268. #17707 (alexey-milovidov).
Added support for the PROXYv1 protocol to wrap the native TCP interface in ClickHouse, enabling quotas to be keyed by the original IP address forwarded by trusted proxies.

Why it matters

This feature allows ClickHouse deployments that sit behind trusted proxy servers (such as CloudFlare) to accurately track and enforce quotas based on the client's original IP address rather than the proxy's IP. It addresses the issue where resource accounting was previously inaccurate due to proxy forwarding, improving access control and usage monitoring.

How to use it

To use this feature, enable the PROXYv1 protocol wrapping on the native TCP interface in the server configuration. Quotas will then be applied based on the IP address provided by the PROXYv1 header or the X-Forwarded-For header from the HTTP interface, ensuring user sessions and resource limits correspond to the original client IP.

Related resources

PreviousNext