Layer 4 proxy forwards TCP and UDP traffic from edge ports to your origin server, improving application performance and security. Use Layer 4 proxy for scenarios that rely on direct Layer 4 protocol connections, such as real-time competitive games and real-time audio and video interactions.
How it works
When you create a Layer 4 proxy application, you configure a domain name that resolves to an acceleration IP address. Clients use this IP address to send TCP or UDP requests to the edge ports that you specify. Each proxy rule in the application maps an edge port to an origin server port, and the Layer 4 proxy forwards traffic to your origin server. You can optionally use PROXY Protocol to pass the original client IP and port information to the origin server.
Considerations
Before you configure Layer 4 proxy, note the following:
Plan requirement — Layer 4 proxy is available only for Enterprise plan users.
Domain name conflicts — Layer 4 proxy domain names must not conflict with Layer 7 acceleration domain names, load balancing domain names, or edge function domain names. If a domain name is already in use by any of these services, it cannot be added to a Layer 4 proxy application.
Rule limit — You can configure a maximum of 30 proxy rules within a single application.
Create a Layer 4 proxy application
If you have not activated the Enterprise plan, a plan upgrade prompt is displayed when you access the Layer 4 proxy configuration page. Click Upgrade To Enterprise to complete the plan upgrade, and then perform the following operations. If the plan cannot be upgraded through self-service, follow the on-screen instructions Not supported by the plan. Contact your account manager. to contact sales for assistance.
Log on to the ESA console and navigate to the Layer 4 proxy page for your site.
Click Create Application and configure the parameters described in the following table.
Click OK.
The application appears in the Layer 4 proxy application list.
The following table describes the Layer 4 proxy application parameters.
| Parameter | Description |
| Domain | The domain name (hostname or record) for client access. This domain name resolves to an acceleration IP address, which clients use to send Layer 4 protocol requests. |
| IPv6 | When enabled, if the client is in an IPv6 environment and the nearest node supports IPv6 requests, the client can access the node using the IPv6 protocol. |
| WAF IP Access Control | When enabled, IP access rules configured in WAF apply to this Layer 4 proxy application. |
| Connection Keep-alive Protection | When enabled, connection disconnections are significantly reduced when DDoS full protection is active, with a minor impact on acceleration. A small number of requests may be briefly disconnected upon enabling. This configuration is automatically disabled when DDoS full protection expires. Note Connection keep-alive protection cannot be used simultaneously with China mainland network optimization or fixed IP (IPv4) features, and DDoS full protection must be enabled globally before you can enable this feature. |
| Protocol | The Layer 4 protocol used by your application. Valid values: TCP and UDP. |
| Edge Port | The access port. You can configure single ports, multiple ports, and port ranges. Valid values: 1 to 65535. Multiple ports example: 80,81,82 (separated by commas). Port range example: 100-200 (connected by a hyphen). Combination example: 80,81,82,100-200. |
| Origin Server | The address of the origin server. You can specify an IP address, domain name, Object Storage, or load balancer. |
| Origin Server Port | The port of the origin server. When the edge port is a single port, the origin server port can be a single port or a port range. When the edge port is a port range, the origin server port must be a single port or a port range of the same length. If both ports are configured as port ranges with different port numbers, port offset mapping is used. For example, if the edge port is 3000-4000 and the origin server port is 5000-6000, connections to edge port 3050 are forwarded to origin server port 5050. |
| Client IP Passthrough | The proxy protocol for passing the original client IP and port information to the origin server. Default: Off. Proxy Protocol V1: Passes the client IP through TCP Header in ASCII text format. Supports TCP protocol only. Proxy Protocol V2: Passes the client IP through Header in binary format. Supports TCP and UDP protocols. Simple Proxy Protocol: Passes the client IP by inserting a special header in binary format. Supports UDP protocol only. |
Modify a Layer 4 proxy application
Log on to the ESA console and navigate to the Layer 4 proxy page for your site.
Find the application and click Edit in the Actions column.
Modify the configuration as needed. You can enable or disable IP Access Rules and modify Proxy Rules and their parameters.
When you add a proxy rule, make sure the edge port does not duplicate the edge port of any existing rule.
When you delete a proxy rule, make sure at least one rule remains in the application.
Click OK.
The modifications are saved.
Delete a Layer 4 proxy application
Log on to the ESA console and navigate to the Layer 4 proxy page for your site.
Find the application and click Delete in the Actions column.
Confirm the information in the dialog box, and then click Delete.
The application is removed from the Layer 4 proxy application list.