For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Atkins's avatar
Chris_Atkins
Icon for Nimbostratus rankNimbostratus
Feb 13, 2020

Questions about proxy protocol iRule

So we have a proxy in front of our f5, which is incapable of using x-forwarding-for to give us the original source IP. We were looking at this proxy protocol iRule to resolve that, as they can do th...
application delivery
iRules
LTM
proxy
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Feb 16, 2020

> What I need to know is

> -does this replace the source IP for the packet before nat or after

This irule extracts the information from the PROXY protocol line (v1 or V2) and then deletes the PROXY protocol line from the request (at the TCP Data stage). It does not modify the source/destination address in any way.

> -does this take effect before the http profile does, and could then apply x-forwarded-for to the server side traffic

Yes - CLIENT_DATA events occur before the HTTP profile.

You can insert a X-Forwarded-For header into the request containing the source address as supplied by the upstream proxy device.

Something like the following (only extracting Proxy V1 information, but the same change would work with v2 data - $v2_sourceAddress)

#PROXY Protocol Receiver iRule
# c.jenison at f5.com (Chad Jenison)
# v2.0 - Added support for PROXY Protocol v2, control for v1,v2 or lack of proxy via static:: variables set in RULE_INIT
when RULE_INIT {
  set static::allowProxyV1 1
  set static::allowProxyV2 1
  set static::allowNoProxy 0
}
 
when CLIENT_ACCEPTED {
  TCP::collect
}
 
when CLIENT_DATA {
  binary scan [TCP::payload 12] H* v2_protocol_sig
  if {$static::allowProxyV1 && [TCP::payload 0 5] eq "PROXY"} {
    set proxy_string [TCP::payload]
    set proxy_string_length [expr {[string first "\r" [TCP::payload]] + 2}]
    scan $proxy_string {PROXY TCP%s%s%s%s%s} tcpver srcaddr dstaddr srcport dstport
    log "Proxy Protocol v1 conn from [IP::client_addr]:[TCP::client_port] for an IPv$tcpver stream from Src: $srcaddr:$srcport to Dst: $dstaddr:$dstport"
    TCP::payload replace 0 $proxy_string_length ""
  } elseif {$static::allowNoProxy} {
    log "Connection from [IP::client_addr]:[TCP::client_port] allowed despite lack of PROXY protocol header"
  } else {
    reject
    log "Connection rejected from [IP::client_addr]:[TCP::client_port] due to lack of PROXY protocol header"
  }
  TCP::release
}
 
when HTTP_REQUEST {
  	HTTP::Header insert "X-Forwarded-For" {$srcaddr}
}

> -if someone has a graphic of what order iRules/different virtual server settings are applied that would be helpful as well

Getting Started with iRules: Events & Priorities