diff --git a/go.mod b/go.mod
index d6e7a1e58..0ca9d5f4f 100644
--- a/go.mod
+++ b/go.mod
@@ -48,6 +48,7 @@ require (
 	github.com/open-policy-agent/opa v0.70.0
 	github.com/openzipkin/zipkin-go v0.4.3
 	github.com/peterbourgon/ff/v3 v3.4.0
+	github.com/pires/go-proxyproto v0.8.0
 	github.com/pomerium/csrf v1.7.0
 	github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524
 	github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46
diff --git a/go.sum b/go.sum
index ab58dd3cf..50e312d95 100644
--- a/go.sum
+++ b/go.sum
@@ -534,6 +534,8 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0
 github.com/pierrec/lz4/v4 v4.1.18/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/internal/autocert/manager.go b/internal/autocert/manager.go
index 8cd21e7da..0fe39794c 100644
--- a/internal/autocert/manager.go
+++ b/internal/autocert/manager.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/v2/acme"
+	"github.com/pires/go-proxyproto"
 	"github.com/rs/zerolog"
 
 	"github.com/pomerium/pomerium/config"
@@ -340,8 +341,22 @@ func (mgr *Manager) updateServer(ctx context.Context, cfg *config.Config) {
 		}),
 	}
 	go func() {
+		li, err := net.Listen("tcp", cfg.Options.HTTPRedirectAddr)
+		if err != nil {
+			log.Ctx(ctx).Error().Err(err).Msg("failed to listen on http redirect addr")
+			return
+		}
+		defer li.Close()
+
+		if cfg.Options.UseProxyProtocol {
+			li = &proxyproto.Listener{
+				Listener:          li,
+				ReadHeaderTimeout: 10 * time.Second,
+			}
+		}
+
 		log.Ctx(ctx).Info().Str("addr", hsrv.Addr).Msg("starting http redirect server")
-		err := hsrv.ListenAndServe()
+		err = hsrv.Serve(li)
 		if err != nil {
 			log.Ctx(ctx).Error().Err(err).Msg("failed to run http redirect server")
 		}