Some implementations like go-proxyproto have implemented a policy system for making it possible to accept connections without PROXY protocol, while only accepting the header from trusted hosts. This is what Traefik uses and Caddy is changing to in their 2.8 release.

While documenting PROXY protocol support on a project, one of the reviewers referenced the PROXY protocol specification with the MUST wording that forbids this approach:

MUST not try to guess whether the protocol header is present or not. This means that the protocol explicitly prevents port sharing between public and private access.

While the SHOULD encourages minimizing risk by restricting what hosts are trusted.

It would seem that if you manage what hosts are trustworthy, that's what matters here when accepting PROXY headers, but those same hosts could just as well not provide the PROXY header and not have PROXY protocol apply?

Isn't the only concern really that the receiver must not use the PROXY header when the connection is from an untrusted host? Perhaps the specification should be revised to be more flexible on that point?

References:

• go-proxyproto landed a policy feature roughly a year ago related to internal vs external traffic to the same port motivated by kubernetes deployments.
• On the project I contributed docs to, this issue raised a debate about a need for duplicating ports of a service just for separate PROXY protocol handling for similar reasons. While Dovecot can configure trusted hosts, Postfix seems to lack the equivalent feature (when PROXY protocol is enabled for a service port, the remote IP is already the client IP as would be expected).