Forum Discussion
Proxy Protocol via iRule --> how to implement v2
We are trying to implement proxy protocol (for use with SAP Web Dispatcher) and have this irule:
when CLIENT_ACCEPTED {
set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}
It's working perfectly fine, which we checked via tcpdump.
Problem is that we need Proxy protocol version 2 (binary header format) for the SAP solution.
Is there any way to make the F5 Big-IP Proxy Protocol Initiator for version 2?
- cjuniorNacreous
Hi,
I have no experience on that, but I find this:
https://support.f5.com/csp/article/K40512493
http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
https://github.com/ably/proxy-protocol-v2
Are you working with IPv4 and TCP ?
Maybe this:
when CLIENT_ACCEPTED { # Protocol signature set headerHex "0d0a0d0a000d0a515549540a" # As Local append headerHex "20" # IPv4 and TCP append headerHex "11" # Length 22 append headerHex "0c00" # Source IPv4 as Hex foreach oct [split [IP::remote_addr] "."] { append headerHex [format %02x $oct] } # Dest IPv4 as Hex foreach oct [split [IP::local_addr] "."] { append headerHex [format %02x $oct] } # Source port as Hex append headerHex [format %04x [TCP::remote_port]] # Dest port as Hex append headerHex [format %04x [TCP::local_port]] } when SERVER_CONNECTED { # Write header as byte TCP::respond [binary format H* $headerHex] }
Please, permit me to be wrong with that example code when it is just a shot.
If necessary, I think you can run proxy-protocol-v2 as node.js libraries in iRuleLX.
Kind regards.
- Lukas_ZieglerNimbostratus
Hi, thanks for your answer.
I tried your iRule, but with that enabled there is no communication at all.
We are using https virtual server. As we do not want to terminate the SSL traffic on the F5, we can't use the x-forwarded-for. That's why we wanted to use proxy protocol. (which is working fine from F5 side for v1, but SAP side does only support v2).
I'm happy about any other opinions or ideas.
Kind regards.
- Sachin-GargAltostratus
- Lukas_ZieglerNimbostratus
I did, but this is for proxy protocol receiver. What I need is the F5 to be the Initiator, so to provide the end-system with the actual client IP address, and not to receive proxy protocol messages.
- Sachin-GargAltostratus
Can you please share your vip configuration details and the iRule details so that we can see the issue closely.
Also are you using RabbitMQ instances
If yes then you need
To enable this support on an F5 LTM, perform the following steps:
Enable proxy_protocol on your RabbitMQ instances.
{rabbit,[
{proxy_protocol, true}
]}
On the F5 appliance, create an iRule with the following contents:
when CLIENT_ACCEPTED {
set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}
https://devcentral.f5.com/codeshare/proxy-protocol-initiator
Apply this iRule to your AMQP Virtual Server(s). Note, this does require a TCP profile to be applied, so a 'Standard' Virtual Server will need to be used.
That's it! You should now see your client connection information!
Without Proxy Protocol enabled
(This IP is within the snat pool on the virtual server)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com