Proxy Modes Reference¶
Each mode is a different way to route customer traffic to your origin. Choose based on your origin's capabilities, what visibility you need into client traffic, and how much setup work you're willing to do.
Where do I change this? From your staple IP dashboard, click the dropdown arrow next to Mode in the Assignment panel. See Step 3 — Choose Your Proxy Mode for the walkthrough.
Reverse Proxy¶
Internal name: ipt_proxy · Difficulty: EASY · Default mode
GatewaySentry accepts traffic at the edge and forwards it to your origin as a standard reverse proxy.
Use case¶
- Most websites and game servers.
- Anyone who wants the simplest possible setup.
Origin requirements¶
- None. No software changes, no scripts, no configuration on your end.
Tradeoffs¶
- Your origin sees connections coming from GatewaySentry's edge IPs, not the original client IP. This means logs, IP-based bans, and geolocation features on your origin will all see GatewaySentry instead of your real users.
- If you need the real client IP visible on your origin, choose Reverse Proxy + PROXY Protocol or one of the tunnel modes.
Reverse Proxy + PROXY Protocol¶
Internal name: rproxy_pp · Difficulty: MEDIUM
Same as standard Reverse Proxy, but GatewaySentry prepends a PROXY protocol v2 header to each connection. Your origin software reads this header and learns the real client IP.
Use case¶
- You want the simplicity of reverse proxy, but you also need real client IPs at your origin for IP-based bans, geolocation, or accurate access logs.
Origin requirements¶
- Your origin software must support PROXY protocol v2. Most modern web servers and load balancers do, including:
- nginx (with
proxy_protocoldirective on the listening port) - HAProxy (with
accept-proxyon the bind line) - Apache (with
mod_remoteipandRemoteIPProxyProtocol On) - Most game server software supports it too — check your specific software's docs.
- The PROXY protocol header must be enabled only on the listener that receives traffic from GatewaySentry. Enabling it on a public-facing listener that doesn't receive PROXY headers will break connections.
Tradeoffs¶
- Slightly more setup than plain Reverse Proxy, but minimal compared to the tunnel modes.
- Slightly more processing per connection (negligible in practice).
- Misconfiguration is the most common pitfall — PROXY headers on the wrong listener will break things in confusing ways.
GRE Tunnel¶
Internal name: gre · Difficulty: ADVANCED
A Generic Routing Encapsulation tunnel between GatewaySentry's edge and your origin. Packets are encapsulated and routed end-to-end, giving your origin full visibility into the original client IP and full control over routing decisions.
Use case¶
- You need protocol-level control or visibility (e.g., non-HTTP services, custom UDP protocols).
- You want every packet — not just web requests — protected.
- You need real client IPs at the network layer, not via an HTTP-style header.
Origin requirements¶
- Run the GRE setup script supplied by GatewaySentry on your origin server.
- Your Customer Key (visible on the staple IP dashboard) is used by the script to fetch tunnel configuration from GatewaySentry's peering and tunnel management system.
- Your network must allow GRE (IP protocol 47). Some hosting providers and firewalls block GRE by default.
- Your origin OS must support GRE tunnels (Linux, BSD, and most enterprise routers do).
Tradeoffs¶
- Most flexible mode — you have end-to-end packet visibility and routing control.
- More complex to set up and maintain.
- GRE is sometimes blocked or rate-limited by upstream networks. If GRE doesn't work in your environment, try FOU Tunnel instead.
FOU Tunnel¶
Internal name: fou · Difficulty: ADVANCED · Linux only
Foo-over-UDP — a lightweight kernel tunnel that encapsulates IP traffic inside UDP packets. Lower overhead than GRE and the fastest tunnel option available.
Use case¶
- You want tunnel-level routing like GRE, but with better performance.
- Your network blocks or rate-limits GRE (a common issue in cloud environments).
- You need maximum throughput with minimum overhead.
Origin requirements¶
- Linux only. FOU is a Linux kernel feature; it is not available on Windows, macOS, or BSD.
- Your Customer Key (visible on the staple IP dashboard) is used by the script to fetch tunnel configuration from GatewaySentry's peering and tunnel management system.
- Outbound UDP must be permitted on the FOU port (typically configurable).
Tradeoffs¶
- Best performance of the four modes for high-throughput traffic.
- Linux-only — rules out Windows or BSD origins.
- Like GRE, it's the most complex option to configure and troubleshoot.
Quick Comparison¶
| Mode | Difficulty | Real Client IP at Origin? | Origin OS | Origin Setup |
|---|---|---|---|---|
| Reverse Proxy | EASY | No | Any | None |
| Reverse Proxy + PROXY Protocol | MEDIUM | Yes (via header) | Any | Configure PROXY v2 on listener |
| GRE Tunnel | ADVANCED | Yes (at IP layer) | Linux/BSD/router | Run GRE setup script |
| FOU Tunnel | ADVANCED | Yes (at IP layer) | Linux only | Run FOU setup script |