Proxy Protocol Initiator
Problem this snippet solves:
iRule Support for BIG-IP sending Proxy header to serverside pool member. (BIG-IP as Proxy Protocol Initiator)
Implements v1 of PROXY protocol at: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
How to use this snippet:
Add iRule to Virtual Server. Back-end server should accept Proxy header.
Code :
when CLIENT_ACCEPTED {
set proxyheader "PROXY "
if {[IP::version] eq 4} {
append proxyheader "TCP4 "
} else {
append proxyheader "TCP6 "
}
append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}
### Alternate Optimized Version ###
when CLIENT_ACCEPTED {
set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}Tested this on version:
11.6
NimbostratusNimbostratus17 Comments
Chad_JenisonThanks Jason. Note that I didn't focus much effort on performance optimization because the code is only running on connection establishment and not more frequently (example would be every HTTP request).
CSAWhat about v2 ? I tried with a PureFTPD backend and that broke the authentication. It seems it's supposed to work (or not break pureftpd, but hopefully work) : https://github.com/joyent/haproxy-1.5/blob/master/doc/proxy-protocol.txt
- Chad_Jenison
At this point I wouldn't expect the iRule to support PROXY protocol v2.
Arun_LK_202176I tried this iRule for SSL traffic standard VIP. Where SSL cert is on the server and it does not work. Could anyone assist. Please.
- Chad_Jenison
I'd imagine this might work, but haven't tested. I'd give it a try and report back to this thread in comments.
when CLIENT_ACCEPTED { set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVERSSL_HANDSHAKE { SSL::respond $proxyheader } - Arun_LK_202176
I placed the iRUle under the standard vip and also for pass through. But, not able to get the client IP addresses.
- Arun_LK_202176
One more thing, is that, in ftp/ssl, the url stop working when we place the iRule. Any assistance is greatly appreciated.
- Chad_Jenison
arun, the data you're providing in your first comment about not getting client IP addresses isn't clear. it'd be helpful to indicate what you are seeing via packet capture or something. Regarding FTP/SSL; I'm not sure I'd expect things to work in that scenario due to the special characteristics of FTP (two connections).
Darren_Walker_2Cirrus
We are trying to implement proxy protocol (for use with RabbitMQ AMQP) and have this irule:
when CLIENT_ACCEPTED{ set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVER_CONNECTED { TCP::respond $proxyheader }But keep receiving a logged error:
TCL error: /Common/rabbitMQ_proxy_protocol - Operation not supported (line 1) invoked from within "TCP::respond $proxyheader"This page below says that TCP::respond is a valid command for SERVER_CONNECTED. Any ideas?
https://devcentral.f5.com/wiki/iRules.SERVER_CONNECTED.ashx- Chad_Jenison
Darren, that is surprising. Am I correct to assume you have the iRule attached to a Standard mode virtual server?
If so, I'd suggest opening a case with F5 support. While the cannot support the iRule code, the fact that you're getting this execution error on an event that is supported for TCP::respond should be something they can investigate.