Proxy Protocol Initiator

Problem this snippet solves:

iRule Support for BIG-IP sending Proxy header to serverside pool member. (BIG-IP as Proxy Protocol Initiator)

Implements v1 of PROXY protocol at: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

How to use this snippet:

Add iRule to Virtual Server. Back-end server should accept Proxy header.

Code :

when CLIENT_ACCEPTED {
    set proxyheader "PROXY "
    if {[IP::version] eq 4} {
        append proxyheader "TCP4 "
    } else {
        append proxyheader "TCP6 "
    }
    append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}

when SERVER_CONNECTED {
    TCP::respond $proxyheader
}

### Alternate Optimized Version ###
when CLIENT_ACCEPTED {
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
 
when SERVER_CONNECTED {
    TCP::respond $proxyheader
}

Tested this on version:

11.6
Published Sep 02, 2015
Version 1.0
application delivery
devops
iRules
LTM
proxy

Was this article helpful?

17 Comments

Sort By
Show More
  • Darren_Walker_2's avatar
    Darren_Walker_2
    Icon for Cirrus rankCirrus
    Jul 25, 2018

    They had me 

    reboot
    and I don't have the operation not supported error anymore. But I've enabled logging in the when SERVER_CONNECTED block and it's not logging anything. I don't think I have proxy protocol enabled correctly.

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 25, 2019

    This might be slightly more efficient than the original versions:

    when SERVER_CONNECTED {
      TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\r\n"
}
  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Jun 05, 2019

    If you're curious what this looks like in a packet capture where you do SSL re-encrypt on the virtual server, terminate SSL at the F5 then re-encrypt HTTPS to the pool members, the data is within a server side packet after the three way handshake with PSH and ACK flags set.

     

    The data is hex encoded but if you right click the PSH,ACK packet and follow stream wireshark will decode it or you can use another resource.

     

    Here's what the proxyheader looks like: PROXY TCP4 192.168.x.x 10.x.x.x 50299 443

     

  • CDub's avatar
    CDub
    Icon for Nimbostratus rankNimbostratus
    Oct 09, 2020

    We implemented the solution on a LTM 13.1 VLB and the Virtual Server stopped working with a "PR_END_OF_FILE_ERROR" shown in the browser. The LB is configured not to unload SSL.

     

    The backend server logs does not have any entries so it looks like traffic does not reach the backend servers.

    Inspection of logs in VLB /var/log does not show anything related. Are there other logs or tools we can use to see what is causing the Virtual Server to stop responding?

    thanks

  • shubes's avatar
    shubes
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2022

    In configurations where non-default Route Domains are used, IP::remote_addr and IP::local_addr get the %rd identifier appended to the IP address, which is invalid in the ha proxy protocol. In order to remedy this, you can use the getfield iRule function to strip off the %rd. Using this function should be ok whether or not Route Domains are in use. Here's how that looks:

    set proxyheader "PROXY TCP[IP::version] [getfield [IP::remote_addr] "%" 1] [getfield [IP::local_addr] "%" 1] [TCP::remote_port] [TCP::local_port]\r\n"

    This worked for me with smtp going to postfix. (See postfix configuration above)