diff --git a/modules/caddyhttp/proxyprotocol/listenerwrapper.go b/modules/caddyhttp/proxyprotocol/listenerwrapper.go
index 69829ee1346..e0d9b86ceae 100644
--- a/modules/caddyhttp/proxyprotocol/listenerwrapper.go
+++ b/modules/caddyhttp/proxyprotocol/listenerwrapper.go
@@ -16,6 +16,7 @@ package proxyprotocol
 
 import (
 	"net"
+	"net/netip"
 	"time"
 
 	goproxy "github.com/pires/go-proxyproto"
@@ -37,12 +38,12 @@ type ListenerWrapper struct {
 	// Allow is an optional list of CIDR ranges to
 	// allow/require PROXY headers from.
 	Allow []string `json:"allow,omitempty"`
-	allow []*net.IPNet
+	allow []netip.Prefix
 
 	// Denby is an optional list of CIDR ranges to
 	// deny PROXY headers from.
 	Deny []string `json:"deny,omitempty"`
-	deny []*net.IPNet
+	deny []netip.Prefix
 
 	// Accepted values are: ignore, use, reject, require, skip
 	// default: ignore
@@ -55,27 +56,32 @@ type ListenerWrapper struct {
 // Provision sets up the listener wrapper.
 func (pp *ListenerWrapper) Provision(ctx caddy.Context) error {
 	for _, cidr := range pp.Allow {
-		_, ipnet, err := net.ParseCIDR(cidr)
+		ipnet, err := netip.ParsePrefix(cidr)
 		if err != nil {
 			return err
 		}
 		pp.allow = append(pp.allow, ipnet)
 	}
 	for _, cidr := range pp.Deny {
-		_, ipnet, err := net.ParseCIDR(cidr)
+		ipnet, err := netip.ParsePrefix(cidr)
 		if err != nil {
 			return err
 		}
 		pp.deny = append(pp.deny, ipnet)
 	}
 	pp.policy = func(upstream net.Addr) (goproxy.Policy, error) {
+		// trust unix sockets
+		if network := upstream.Network(); caddy.IsUnixNetwork(network) {
+			return goproxy.USE, nil
+		}
 		ret := pp.FallbackPolicy
 		host, _, err := net.SplitHostPort(upstream.String())
 		if err != nil {
 			return goproxy.REJECT, err
 		}
-		ip := net.ParseIP(host)
-		if ip == nil {
+
+		ip, err := netip.ParseAddr(host)
+		if err != nil {
 			return goproxy.REJECT, err
 		}
 		for _, ipnet := range pp.deny {