From b5a931c96e15d6426834370d753f0d53eded9120 Mon Sep 17 00:00:00 2001
From: Pallavi Kumari <pallavilpmt1995@gmail.com>
Date: Thu, 23 Oct 2025 23:07:26 +0530
Subject: [PATCH 1/5] UI and backend update to add proxy protocol support

---
 server/db/sqlite/schema/schema.ts             |   5 +-
 server/routers/resource/updateResource.ts     |   5 +-
 .../resources/[niceId]/proxy/page.tsx         | 164 +++++++++++++++---
 3 files changed, 147 insertions(+), 27 deletions(-)

diff --git a/server/db/sqlite/schema/schema.ts b/server/db/sqlite/schema/schema.ts
index 2c19a1c7..415ce80b 100644
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -114,7 +114,10 @@ export const resources = sqliteTable("resources", {
     skipToIdpId: integer("skipToIdpId").references(() => idp.idpId, {
         onDelete: "cascade"
     }),
-    headers: text("headers") // comma-separated list of headers to add to the request
+    headers: text("headers"), // comma-separated list of headers to add to the request
+    proxyProtocol: integer("proxyProtocol", { mode: "boolean" }).notNull().default(false),
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
+
 });
 
 export const targets = sqliteTable("targets", {
diff --git a/server/routers/resource/updateResource.ts b/server/routers/resource/updateResource.ts
index a9c3b5de..13c5220d 100644
--- a/server/routers/resource/updateResource.ts
+++ b/server/routers/resource/updateResource.ts
@@ -99,8 +99,9 @@ const updateRawResourceBodySchema = z
         name: z.string().min(1).max(255).optional(),
         proxyPort: z.number().int().min(1).max(65535).optional(),
         stickySession: z.boolean().optional(),
-        enabled: z.boolean().optional()
-        // enableProxy: z.boolean().optional() // always true now
+        enabled: z.boolean().optional(),
+        proxyProtocol: z.boolean().optional(),
+        proxyProtocolVersion: z.number().int().min(1).optional()
     })
     .strict()
     .refine((data) => Object.keys(data).length > 0, {
diff --git a/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
index 9588e0c8..5af5b318 100644
--- a/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
@@ -77,7 +77,8 @@ import {
     MoveRight,
     ArrowUp,
     Info,
-    ArrowDown
+    ArrowDown,
+    AlertTriangle
 } from "lucide-react";
 import { ContainersSelector } from "@app/components/ContainersSelector";
 import { useTranslations } from "next-intl";
@@ -115,6 +116,7 @@ import {
     TooltipProvider,
     TooltipTrigger
 } from "@app/components/ui/tooltip";
+import { Alert, AlertDescription } from "@app/components/ui/alert";
 
 const addTargetSchema = z
     .object({
@@ -288,7 +290,9 @@ export default function ReverseProxyTargets(props: {
             ),
         headers: z
             .array(z.object({ name: z.string(), value: z.string() }))
-            .nullable()
+            .nullable(),
+        proxyProtocol: z.boolean().optional(),
+        proxyProtocolVersion: z.number().int().min(1).max(2).optional()
     });
 
     const tlsSettingsSchema = z.object({
@@ -325,7 +329,9 @@ export default function ReverseProxyTargets(props: {
         resolver: zodResolver(proxySettingsSchema),
         defaultValues: {
             setHostHeader: resource.setHostHeader || "",
-            headers: resource.headers
+            headers: resource.headers,
+            proxyProtocol: resource.proxyProtocol || false,
+            proxyProtocolVersion: resource.proxyProtocolVersion || 1
         }
     });
 
@@ -549,11 +555,11 @@ export default function ReverseProxyTargets(props: {
                     prev.map((t) =>
                         t.targetId === target.targetId
                             ? {
-                                  ...t,
-                                  targetId: response.data.data.targetId,
-                                  new: false,
-                                  updated: false
-                              }
+                                ...t,
+                                targetId: response.data.data.targetId,
+                                new: false,
+                                updated: false
+                            }
                             : t
                     )
                 );
@@ -673,11 +679,11 @@ export default function ReverseProxyTargets(props: {
             targets.map((target) =>
                 target.targetId === targetId
                     ? {
-                          ...target,
-                          ...data,
-                          updated: true,
-                          siteType: site ? site.type : target.siteType
-                      }
+                        ...target,
+                        ...data,
+                        updated: true,
+                        siteType: site ? site.type : target.siteType
+                    }
                     : target
             )
         );
@@ -688,10 +694,10 @@ export default function ReverseProxyTargets(props: {
             targets.map((target) =>
                 target.targetId === targetId
                     ? {
-                          ...target,
-                          ...config,
-                          updated: true
-                      }
+                        ...target,
+                        ...config,
+                        updated: true
+                    }
                     : target
             )
         );
@@ -800,6 +806,22 @@ export default function ReverseProxyTargets(props: {
                     setHostHeader: proxyData.setHostHeader || null,
                     headers: proxyData.headers || null
                 });
+            } else {
+                // For TCP/UDP resources, save proxy protocol settings
+                const proxyData = proxySettingsForm.getValues();
+                
+                const payload = {
+                    proxyProtocol: proxyData.proxyProtocol || false,
+                    proxyProtocolVersion: proxyData.proxyProtocolVersion || 1
+                };
+
+                await api.post(`/resource/${resource.resourceId}`, payload);
+
+                updateResource({
+                    ...resource,
+                    proxyProtocol: proxyData.proxyProtocol || false,
+                    proxyProtocolVersion: proxyData.proxyProtocolVersion || 1
+                });
             }
 
             toast({
@@ -1064,7 +1086,7 @@ export default function ReverseProxyTargets(props: {
                                         className={cn(
                                             "w-[180px] justify-between text-sm border-r pr-4 rounded-none h-8 hover:bg-transparent",
                                             !row.original.siteId &&
-                                                "text-muted-foreground"
+                                            "text-muted-foreground"
                                         )}
                                     >
                                         <span className="truncate max-w-[150px]">
@@ -1404,12 +1426,12 @@ export default function ReverseProxyTargets(props: {
                                                                 {header.isPlaceholder
                                                                     ? null
                                                                     : flexRender(
-                                                                          header
-                                                                              .column
-                                                                              .columnDef
-                                                                              .header,
-                                                                          header.getContext()
-                                                                      )}
+                                                                        header
+                                                                            .column
+                                                                            .columnDef
+                                                                            .header,
+                                                                        header.getContext()
+                                                                    )}
                                                             </TableHead>
                                                         )
                                                     )}
@@ -1675,6 +1697,100 @@ export default function ReverseProxyTargets(props: {
                 </SettingsSection>
             )}
 
+            {!resource.http && resource.protocol && (
+                <SettingsSection>
+                    <SettingsSectionHeader>
+                        <SettingsSectionTitle>
+                            Proxy Protocol Settings
+                        </SettingsSectionTitle>
+                        <SettingsSectionDescription>
+                            Configure Proxy Protocol to preserve client IP addresses for TCP/UDP services.
+                        </SettingsSectionDescription>
+                    </SettingsSectionHeader>
+                    <SettingsSectionBody>
+                        <SettingsSectionForm>
+                            <Form {...proxySettingsForm}>
+                                <form
+                                    onSubmit={proxySettingsForm.handleSubmit(
+                                        saveAllSettings
+                                    )}
+                                    className="space-y-4"
+                                    id="proxy-protocol-settings-form"
+                                >
+                                    <FormField
+                                        control={proxySettingsForm.control}
+                                        name="proxyProtocol"
+                                        render={({ field }) => (
+                                            <FormItem>
+                                                <FormControl>
+                                                    <SwitchInput
+                                                        id="proxy-protocol-toggle"
+                                                        label="Enable Proxy Protocol"
+                                                        description="Preserve client IP addresses for TCP/UDP backends"
+                                                        defaultChecked={
+                                                            field.value || false
+                                                        }
+                                                        onCheckedChange={(val) => {
+                                                            field.onChange(val);
+                                                        }}
+                                                    />
+                                                </FormControl>
+                                            </FormItem>
+                                        )}
+                                    />
+                                    
+                                    {proxySettingsForm.watch("proxyProtocol") && (
+                                        <>
+                                            <FormField
+                                                control={proxySettingsForm.control}
+                                                name="proxyProtocolVersion"
+                                                render={({ field }) => (
+                                                    <FormItem>
+                                                        <FormLabel>Proxy Protocol Version</FormLabel>
+                                                        <FormControl>
+                                                            <Select
+                                                                value={String(field.value || 1)}
+                                                                onValueChange={(value) =>
+                                                                    field.onChange(parseInt(value, 10))
+                                                                }
+                                                            >
+                                                                <SelectTrigger>
+                                                                    <SelectValue placeholder="Select version" />
+                                                                </SelectTrigger>
+                                                                <SelectContent>
+                                                                    <SelectItem value="1">
+                                                                        Version 1 (Recommended)
+                                                                    </SelectItem>
+                                                                    <SelectItem value="2">
+                                                                        Version 2
+                                                                    </SelectItem>
+                                                                </SelectContent>
+                                                            </Select>
+                                                        </FormControl>
+                                                        <FormDescription>
+                                                            Version 1 is text-based and widely supported. Version 2 is binary and more efficient but less compatible.
+                                                        </FormDescription>
+                                                    </FormItem>
+                                                )}
+                                            />
+
+                                            <Alert>
+                                                <AlertTriangle className="h-4 w-4" />
+                                                <AlertDescription>
+                                                    <strong>Warning:</strong> Your backend application must be configured to accept Proxy Protocol connections. 
+                                                    If your backend doesn't support Proxy Protocol, enabling this will break all connections. 
+                                                    Make sure to configure your backend to trust Proxy Protocol headers from Traefik.
+                                                </AlertDescription>
+                                            </Alert>
+                                        </>
+                                    )}
+                                </form>
+                            </Form>
+                        </SettingsSectionForm>
+                    </SettingsSectionBody>
+                </SettingsSection>
+            )}
+
             <div className="flex justify-end mt-6">
                 <Button
                     onClick={saveAllSettings}

From ac683c3ff761c3eab684515fbdeddc813d50f727 Mon Sep 17 00:00:00 2001
From: Pallavi Kumari <pallavilpmt1995@gmail.com>
Date: Thu, 23 Oct 2025 23:24:42 +0530
Subject: [PATCH 2/5] add pg schema for proxy protocol

---
 server/db/pg/schema/schema.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/db/pg/schema/schema.ts b/server/db/pg/schema/schema.ts
index 2e307c5f..1d1ca200 100644
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -102,7 +102,9 @@ export const resources = pgTable("resources", {
     skipToIdpId: integer("skipToIdpId").references(() => idp.idpId, {
         onDelete: "cascade"
     }),
-    headers: text("headers") // comma-separated list of headers to add to the request
+    headers: text("headers"), // comma-separated list of headers to add to the request
+    proxyProtocol: boolean("proxyProtocol").notNull().default(false),
+    proxyProtocolVersion: integer("proxyProtocolVersion").default(1)
 });
 
 export const targets = pgTable("targets", {

From 58b6ab26013399422dc2e31366cc27d385008f5b Mon Sep 17 00:00:00 2001
From: Pallavi Kumari <pallavilpmt1995@gmail.com>
Date: Fri, 24 Oct 2025 15:56:46 +0530
Subject: [PATCH 3/5] Implement Proxy Protocol handling in Traefik config
 generator

---
 server/lib/traefik/getTraefikConfig.ts | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/server/lib/traefik/getTraefikConfig.ts b/server/lib/traefik/getTraefikConfig.ts
index 5916d026..f7f56a9a 100644
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -56,6 +56,8 @@ export async function getTraefikConfig(
             setHostHeader: resources.setHostHeader,
             enableProxy: resources.enableProxy,
             headers: resources.headers,
+            proxyProtocol: resources.proxyProtocol,
+            proxyProtocolVersion: resources.proxyProtocolVersion,
             // Target fields
             targetId: targets.targetId,
             targetEnabled: targets.enabled,
@@ -164,6 +166,8 @@ export async function getTraefikConfig(
                 enableProxy: row.enableProxy,
                 targets: [],
                 headers: row.headers,
+                proxyProtocol: row.proxyProtocol,
+                proxyProtocolVersion: row.proxyProtocolVersion ?? 1,
                 path: row.path, // the targets will all have the same path
                 pathMatchType: row.pathMatchType, // the targets will all have the same pathMatchType
                 rewritePath: row.rewritePath,
@@ -562,6 +566,8 @@ export async function getTraefikConfig(
                 ...(protocol === "tcp" ? { rule: "HostSNI(`*`)" } : {})
             };
 
+            const serversTransportName = `${key}-proxy-protocol-transport`;
+
             config_output[protocol].services[serviceName] = {
                 loadBalancer: {
                     servers: (() => {
@@ -615,6 +621,9 @@ export async function getTraefikConfig(
                                 }
                             });
                     })(),
+                    ...(resource.proxyProtocol
+                        ? { serversTransport: serversTransportName }
+                        : {}),
                     ...(resource.stickySession
                         ? {
                               sticky: {
@@ -627,6 +636,23 @@ export async function getTraefikConfig(
                         : {})
                 }
             };
+
+            // Add serversTransport configuration if proxy protocol is enabled
+            if (resource.proxyProtocol) {
+                if (!config_output[protocol].serversTransports) {
+                    config_output[protocol].serversTransports = {};
+                }
+                
+                config_output[protocol].serversTransports[serversTransportName] = {
+                    proxyProtocol: {
+                        version: resource.proxyProtocolVersion || 1
+                    }
+                };
+
+                logger.debug(
+                    `Enabled Proxy Protocol v${resource.proxyProtocolVersion || 1} for ${protocol} resource ${resource.resourceId} (${resource.name})`
+                );
+            }
         }
     }
     return config_output;

From 0743daf56ab8dc1b6ad6b352638e66bc37306b59 Mon Sep 17 00:00:00 2001
From: Pallavi Kumari <pallavilpmt1995@gmail.com>
Date: Fri, 24 Oct 2025 16:30:34 +0530
Subject: [PATCH 4/5] add en-US for proxy protocol

---
 messages/en-US.json                           | 14 ++++++++--
 .../resources/[niceId]/proxy/page.tsx         | 28 ++++++++++---------
 2 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/messages/en-US.json b/messages/en-US.json
index 4cffaf98..f9b2c4c7 100644
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -1891,5 +1891,15 @@
     "cannotbeUndone": "This can not be undone.",
     "toConfirm": "to confirm",
     "deleteClientQuestion": "Are you sure you want to remove the client from the site and organization?",
-    "clientMessageRemove": "Once removed, the client will no longer be able to connect to the site."
-}
+    "clientMessageRemove": "Once removed, the client will no longer be able to connect to the site.",
+    "proxyProtocol": "Proxy Protocol Settings",
+    "proxyProtocolDescription": "Configure Proxy Protocol to preserve client IP addresses for TCP/UDP services.",
+    "enableProxyProtocol": "Enable Proxy Protocol",
+    "proxyProtocolInfo": "Preserve client IP addresses for TCP/UDP backends",
+    "proxyProtocolVersion": "Proxy Protocol Version",
+    "version1": " Version 1 (Recommended)",
+    "version2": "Version 2",
+    "versionDescription": "Version 1 is text-based and widely supported. Version 2 is binary and more efficient but less compatible.",
+    "warning": "Warning",
+    "proxyProtocolWarning": "Your backend application must be configured to accept Proxy Protocol connections. If your backend doesn't support Proxy Protocol, enabling this will break all connections. Make sure to configure your backend to trust Proxy Protocol headers from Traefik."
+}
\ No newline at end of file
diff --git a/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx b/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
index 5af5b318..5ef2ccd5 100644
--- a/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/[niceId]/proxy/page.tsx
@@ -809,7 +809,7 @@ export default function ReverseProxyTargets(props: {
             } else {
                 // For TCP/UDP resources, save proxy protocol settings
                 const proxyData = proxySettingsForm.getValues();
-                
+
                 const payload = {
                     proxyProtocol: proxyData.proxyProtocol || false,
                     proxyProtocolVersion: proxyData.proxyProtocolVersion || 1
@@ -1701,10 +1701,10 @@ export default function ReverseProxyTargets(props: {
                 <SettingsSection>
                     <SettingsSectionHeader>
                         <SettingsSectionTitle>
-                            Proxy Protocol Settings
+                            {t("proxyProtocol")}
                         </SettingsSectionTitle>
                         <SettingsSectionDescription>
-                            Configure Proxy Protocol to preserve client IP addresses for TCP/UDP services.
+                            {t("proxyProtocolDescription")}
                         </SettingsSectionDescription>
                     </SettingsSectionHeader>
                     <SettingsSectionBody>
@@ -1725,8 +1725,12 @@ export default function ReverseProxyTargets(props: {
                                                 <FormControl>
                                                     <SwitchInput
                                                         id="proxy-protocol-toggle"
-                                                        label="Enable Proxy Protocol"
-                                                        description="Preserve client IP addresses for TCP/UDP backends"
+                                                        label={t(
+                                                            "enableProxyProtocol"
+                                                        )}
+                                                        description={t(
+                                                            "proxyProtocolInfo"
+                                                        )}
                                                         defaultChecked={
                                                             field.value || false
                                                         }
@@ -1738,7 +1742,7 @@ export default function ReverseProxyTargets(props: {
                                             </FormItem>
                                         )}
                                     />
-                                    
+
                                     {proxySettingsForm.watch("proxyProtocol") && (
                                         <>
                                             <FormField
@@ -1746,7 +1750,7 @@ export default function ReverseProxyTargets(props: {
                                                 name="proxyProtocolVersion"
                                                 render={({ field }) => (
                                                     <FormItem>
-                                                        <FormLabel>Proxy Protocol Version</FormLabel>
+                                                        <FormLabel>{t("proxyProtocolVersion")}</FormLabel>
                                                         <FormControl>
                                                             <Select
                                                                 value={String(field.value || 1)}
@@ -1759,16 +1763,16 @@ export default function ReverseProxyTargets(props: {
                                                                 </SelectTrigger>
                                                                 <SelectContent>
                                                                     <SelectItem value="1">
-                                                                        Version 1 (Recommended)
+                                                                        {t("version1")}
                                                                     </SelectItem>
                                                                     <SelectItem value="2">
-                                                                        Version 2
+                                                                        {t("version2")}
                                                                     </SelectItem>
                                                                 </SelectContent>
                                                             </Select>
                                                         </FormControl>
                                                         <FormDescription>
-                                                            Version 1 is text-based and widely supported. Version 2 is binary and more efficient but less compatible.
+                                                            {t("versionDescription")}
                                                         </FormDescription>
                                                     </FormItem>
                                                 )}
@@ -1777,9 +1781,7 @@ export default function ReverseProxyTargets(props: {
                                             <Alert>
                                                 <AlertTriangle className="h-4 w-4" />
                                                 <AlertDescription>
-                                                    <strong>Warning:</strong> Your backend application must be configured to accept Proxy Protocol connections. 
-                                                    If your backend doesn't support Proxy Protocol, enabling this will break all connections. 
-                                                    Make sure to configure your backend to trust Proxy Protocol headers from Traefik.
+                                                    <strong>{t("warning")}:</strong> {t("proxyProtocolWarning")}
                                                 </AlertDescription>
                                             </Alert>
                                         </>

From 85270f497a0cba587f6c86c81926cdf0a7df27dc Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Sun, 26 Oct 2025 18:15:39 -0700
Subject: [PATCH 5/5] Restrict raw resources and use st from config

---
 install/config/traefik/dynamic_config.yml     |  9 ++++++
 server/lib/traefik/TraefikConfigManager.ts    | 27 +++++++++++++----
 server/lib/traefik/getTraefikConfig.ts        | 30 +++++--------------
 .../private/lib/traefik/getTraefikConfig.ts   | 10 +++++--
 server/private/routers/hybrid.ts              |  3 +-
 .../routers/traefik/traefikConfigProvider.ts  |  3 +-
 6 files changed, 50 insertions(+), 32 deletions(-)

diff --git a/install/config/traefik/dynamic_config.yml b/install/config/traefik/dynamic_config.yml
index 8fcf8e55..f795016b 100644
--- a/install/config/traefik/dynamic_config.yml
+++ b/install/config/traefik/dynamic_config.yml
@@ -51,3 +51,12 @@ http:
       loadBalancer:
         servers:
           - url: "http://pangolin:3000"  # API/WebSocket server
+
+tcp:
+  serversTransports:
+    pp-transport-v1:
+      proxyProtocol:
+        version: 1
+    pp-transport-v2:
+      proxyProtocol:
+        version: 2
\ No newline at end of file
diff --git a/server/lib/traefik/TraefikConfigManager.ts b/server/lib/traefik/TraefikConfigManager.ts
index ec4e25f4..56648559 100644
--- a/server/lib/traefik/TraefikConfigManager.ts
+++ b/server/lib/traefik/TraefikConfigManager.ts
@@ -309,10 +309,7 @@ export class TraefikConfigManager {
                 this.lastActiveDomains = new Set(domains);
             }
 
-            if (
-                process.env.USE_PANGOLIN_DNS === "true" &&
-                build != "oss"
-            ) {
+            if (process.env.USE_PANGOLIN_DNS === "true" && build != "oss") {
                 // Scan current local certificate state
                 this.lastLocalCertificateState =
                     await this.scanLocalCertificateState();
@@ -450,7 +447,8 @@ export class TraefikConfigManager {
                 currentExitNode,
                 config.getRawConfig().traefik.site_types,
                 build == "oss", // filter out the namespace domains in open source
-                build != "oss" // generate the login pages on the cloud and hybrid
+                build != "oss", // generate the login pages on the cloud and hybrid,
+                build == "saas" ? false : config.getRawConfig().traefik.allow_raw_resources // dont allow raw resources on saas otherwise use config
             );
 
             const domains = new Set<string>();
@@ -502,6 +500,25 @@ export class TraefikConfigManager {
                 };
             }
 
+            // tcp:
+            //     serversTransports:
+            //         pp-transport-v1:
+            //         proxyProtocol:
+            //             version: 1
+            //         pp-transport-v2:
+            //         proxyProtocol:
+            //             version: 2
+
+            if (build != "saas") {
+                // add the serversTransports section if not present
+                if (traefikConfig.tcp && !traefikConfig.tcp.serversTransports) {
+                    traefikConfig.tcp.serversTransports = {
+                        "pp-transport-v1": { proxyProtocol: { version: 1 } },
+                        "pp-transport-v2": { proxyProtocol: { version: 2 } }
+                    };
+                }
+            }
+
             return { domains, traefikConfig };
         } catch (error) {
             // pull data out of the axios error to log
diff --git a/server/lib/traefik/getTraefikConfig.ts b/server/lib/traefik/getTraefikConfig.ts
index f7f56a9a..39a12156 100644
--- a/server/lib/traefik/getTraefikConfig.ts
+++ b/server/lib/traefik/getTraefikConfig.ts
@@ -23,7 +23,8 @@ export async function getTraefikConfig(
     exitNodeId: number,
     siteTypes: string[],
     filterOutNamespaceDomains = false,
-    generateLoginPageRouters = false
+    generateLoginPageRouters = false,
+    allowRawResources = true
 ): Promise<any> {
     // Define extended target type with site information
     type TargetWithSite = Target & {
@@ -103,7 +104,7 @@ export async function getTraefikConfig(
                     isNull(targetHealthCheck.hcHealth) // Include targets with no health check record
                 ),
                 inArray(sites.type, siteTypes),
-                config.getRawConfig().traefik.allow_raw_resources
+                allowRawResources
                     ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
                     : eq(resources.http, true)
             )
@@ -566,8 +567,6 @@ export async function getTraefikConfig(
                 ...(protocol === "tcp" ? { rule: "HostSNI(`*`)" } : {})
             };
 
-            const serversTransportName = `${key}-proxy-protocol-transport`;
-
             config_output[protocol].services[serviceName] = {
                 loadBalancer: {
                     servers: (() => {
@@ -621,8 +620,10 @@ export async function getTraefikConfig(
                                 }
                             });
                     })(),
-                    ...(resource.proxyProtocol
-                        ? { serversTransport: serversTransportName }
+                    ...(resource.proxyProtocol && protocol == "tcp"
+                        ? {
+                              serversTransport: `pp-transport-v${resource.proxyProtocolVersion || 1}`
+                          }
                         : {}),
                     ...(resource.stickySession
                         ? {
@@ -636,23 +637,6 @@ export async function getTraefikConfig(
                         : {})
                 }
             };
-
-            // Add serversTransport configuration if proxy protocol is enabled
-            if (resource.proxyProtocol) {
-                if (!config_output[protocol].serversTransports) {
-                    config_output[protocol].serversTransports = {};
-                }
-                
-                config_output[protocol].serversTransports[serversTransportName] = {
-                    proxyProtocol: {
-                        version: resource.proxyProtocolVersion || 1
-                    }
-                };
-
-                logger.debug(
-                    `Enabled Proxy Protocol v${resource.proxyProtocolVersion || 1} for ${protocol} resource ${resource.resourceId} (${resource.name})`
-                );
-            }
         }
     }
     return config_output;
diff --git a/server/private/lib/traefik/getTraefikConfig.ts b/server/private/lib/traefik/getTraefikConfig.ts
index 881e4632..27a980dd 100644
--- a/server/private/lib/traefik/getTraefikConfig.ts
+++ b/server/private/lib/traefik/getTraefikConfig.ts
@@ -50,7 +50,8 @@ export async function getTraefikConfig(
     exitNodeId: number,
     siteTypes: string[],
     filterOutNamespaceDomains = false,
-    generateLoginPageRouters = false
+    generateLoginPageRouters = false,
+    allowRawResources = true
 ): Promise<any> {
     // Define extended target type with site information
     type TargetWithSite = Target & {
@@ -135,7 +136,7 @@ export async function getTraefikConfig(
                     isNull(targetHealthCheck.hcHealth) // Include targets with no health check record
                 ),
                 inArray(sites.type, siteTypes),
-                config.getRawConfig().traefik.allow_raw_resources
+                allowRawResources
                     ? isNotNull(resources.http) // ignore the http check if allow_raw_resources is true
                     : eq(resources.http, true)
             )
@@ -688,6 +689,11 @@ export async function getTraefikConfig(
                                 }
                             });
                     })(),
+                    ...(resource.proxyProtocol && protocol == "tcp" // proxy protocol only works for tcp
+                        ? {
+                              serversTransport: `pp-transport-v${resource.proxyProtocolVersion || 1}`
+                          }
+                        : {}),
                     ...(resource.stickySession
                         ? {
                               sticky: {
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index df99df92..abfbd02f 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -270,7 +270,8 @@ hybridRouter.get(
                 remoteExitNode.exitNodeId,
                 ["newt", "local", "wireguard"], // Allow them to use all the site types
                 true, // But don't allow domain namespace resources
-                false // Dont include login pages
+                false, // Dont include login pages,
+                true // allow raw resources
             );
 
             return response(res, {
diff --git a/server/routers/traefik/traefikConfigProvider.ts b/server/routers/traefik/traefikConfigProvider.ts
index 6c9404e9..9b12ed8a 100644
--- a/server/routers/traefik/traefikConfigProvider.ts
+++ b/server/routers/traefik/traefikConfigProvider.ts
@@ -21,7 +21,8 @@ export async function traefikConfigProvider(
             currentExitNodeId,
             config.getRawConfig().traefik.site_types,
             build == "oss", // filter out the namespace domains in open source
-            build != "oss" // generate the login pages on the cloud and hybrid
+            build != "oss", // generate the login pages on the cloud and and enterprise,
+            config.getRawConfig().traefik.allow_raw_resources
         );
 
         if (traefikConfig?.http?.middlewares) {