Proxy Protocol Initiator

Problem this snippet solves:

iRule Support for BIG-IP sending Proxy header to serverside pool member. (BIG-IP as Proxy Protocol Initiator)

Implements v1 of PROXY protocol at:

How to use this snippet:

Add iRule to Virtual Server. Back-end server should accept Proxy header.

Code :

    set proxyheader "PROXY "
    if {[IP::version] eq 4} {
        append proxyheader "TCP4 "
    } else {
        append proxyheader "TCP6 "
    append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"

    TCP::respond $proxyheader

### Alternate Optimized Version ###
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
    TCP::respond $proxyheader

Tested this on version:

Published Sep 02, 2015
Version 1.0

Was this article helpful?


  • They had me

    and I don't have the operation not supported error anymore. But I've enabled logging in the when SERVER_CONNECTED block and it's not logging anything. I don't think I have proxy protocol enabled correctly.

  • This might be slightly more efficient than the original versions:

          TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\r\n"
  • If you're curious what this looks like in a packet capture where you do SSL re-encrypt on the virtual server, terminate SSL at the F5 then re-encrypt HTTPS to the pool members, the data is within a server side packet after the three way handshake with PSH and ACK flags set.


    The data is hex encoded but if you right click the PSH,ACK packet and follow stream wireshark will decode it or you can use another resource.


    Here's what the proxyheader looks like: PROXY TCP4 192.168.x.x 10.x.x.x 50299 443


  • CDub's avatar
    Icon for Nimbostratus rankNimbostratus

    We implemented the solution on a LTM 13.1 VLB and the Virtual Server stopped working with a "PR_END_OF_FILE_ERROR" shown in the browser. The LB is configured not to unload SSL.


    The backend server logs does not have any entries so it looks like traffic does not reach the backend servers.

    Inspection of logs in VLB /var/log does not show anything related. Are there other logs or tools we can use to see what is causing the Virtual Server to stop responding?


  • shubes's avatar
    Icon for Nimbostratus rankNimbostratus

    In configurations where non-default Route Domains are used, IP::remote_addr and IP::local_addr get the %rd identifier appended to the IP address, which is invalid in the ha proxy protocol. In order to remedy this, you can use the getfield iRule function to strip off the %rd. Using this function should be ok whether or not Route Domains are in use. Here's how that looks:

    set proxyheader "PROXY TCP[IP::version] [getfield [IP::remote_addr] "%" 1] [getfield [IP::local_addr] "%" 1] [TCP::remote_port] [TCP::local_port]\r\n"

    This worked for me with smtp going to postfix. (See postfix configuration above)