AH03507: RemoteIPProxyProtocol: unsupported command 20

Help!
1

I have an HAProxy server on one machine that’s forwarding requests to Apache on 3 other machines using the Proxy Protocol 2.

On the Apache machine the log is being spammed with the following:

[Sun Dec 07 21:22:48.103096 2025] [remoteip:error] [pid 798] [client 10.7.6.107:38562] AH03507: RemoteIPProxyProtocol: unsupported command 20

The relevant Apache configuration is as follows:

Listen *:8088

<VirtualHost *:8088>
	RemoteIPProxyProtocol On
    RemoteIPProxyProtocolExceptions 127.0.0.1
</VirtualHost>

This is the corresponding HAProxy configuration:

backend cdn
	balance roundrobin
    server-template    default-server 3 cdn.pacyworld.com:8088 check resolvers pacydns init-addr none send-proxy-v2

I am running Apache 2.4.65 and HAProxy 3.2.5

2

The question is: does it work or not?

If everything works fine, but your Apache log keeps showing those errors likely some other systems, perhaps a monitoring system is accessing port 8088 on those backends directly without the proxy protocol.

If it doesn’t work, either component may not have the configuration applied fully or is buggy.

3

It does work (at least as far as I can tell). The IP address is from the HAProxy host, and there isn’t anything else running on that machine that would hit the Apache backend.

4

You have posted a correct 5 line snippet of the Apache configuration and a correct 3 line snippet of the haproxy configuration.

Other than saying that this part of the configuration is not wrong, there is really nothing to be done remotely.

Either you provide more information (like the full configuration with private data replaced instead of removed), or your capture the traffic and analyze the proxy protocol traffic.

5

I’ve narrowed this down to HAProxy health checks. When send-proxy-v2 is combined with check*. *The errors appear every ~2 seconds per server slot, matching the default health check interval. Real proxied traffic works fine.

Here’s the entire HAProxy file

global
    daemon
    log /dev/log local2 info

defaults
    log global
    option forwardfor
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 300s
	option httplog

resolvers pacydns
	nameserver ns1 10.7.7.10:53
	nameserver ns2 10.7.8.10:53
	nameserver ns3 10.7.6.10:53
	accepted_payload_size 8192

frontend CacheFrontend
    bind    *:8080 accept-proxy
	http-response add-header X-PacyWorld-Cache "REDACTED"
    use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy.d/domain2backend.map,default)]

backend default
    server            default-server pacy01:80

backend cdn
	balance roundrobin
    server-template    default-server 3 cdn.pacyworld.com:8088 check resolvers pacydns init-addr none send-proxy-v2

backend web01
    server            web01 web01.pacyworld.com:1080 send-proxy-v2

backend web02
    server            web02 web02.pacyworld.com:1080 send-proxy-v2

backend web03
    server            web03 web03.pacyworld.com:1080 send-proxy-v2

The domain2backend.map file is a simple domain to backend map as so named:

cdn.pacyworld.com	cdn

Apache Configuration:

/usr/local/etc/apache24/modules.d/000_remoteip.conf

Listen *:8088

<VirtualHost *:8088>
	RemoteIPProxyProtocol On
    RemoteIPProxyProtocolExceptions 127.0.0.1
</VirtualHost>

/usr/local/etc/apache24/sites.d/cdn.pacyworld.com.conf

<VirtualHost *:8088>
    ServerAdmin webmaster@pacyworld.com
    DocumentRoot "/usr/local/www/cdn.pacyworld.com/"
    ServerName cdn.pacyworld.com
    ErrorLog /var/log/cdn.pacyworld.com-error_log
    TransferLog /var/log/cdn.pacyworld.com-access_log
	
	<Directory "/usr/local/www/cdn.pacyworld.com">
		Require all granted
		Options +Indexes
	</Directory>
</VirtualHost>

httpd.conf loads those two files as well as making sure the appropriate modules are loaded:

LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
...
Include etc/apache24/Includes/*.conf
Include etc/apache24/sites.d/*.conf
6

Try setting the global option pp2-never-send-local to see if Apache gets confused with the LOCAL command.