Proxy Protocol Initiator
Problem this snippet solves:
iRule Support for BIG-IP sending Proxy header to serverside pool member. (BIG-IP as Proxy Protocol Initiator)
Implements v1 of PROXY protocol at: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
How to use this snippet:
Add iRule to Virtual Server. Back-end server should accept Proxy header.
Code :
when CLIENT_ACCEPTED { set proxyheader "PROXY " if {[IP::version] eq 4} { append proxyheader "TCP4 " } else { append proxyheader "TCP6 " } append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVER_CONNECTED { TCP::respond $proxyheader } ### Alternate Optimized Version ### when CLIENT_ACCEPTED { set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVER_CONNECTED { TCP::respond $proxyheader }
Tested this on version:
11.6They had me
and I don't have the operation not supported error anymore. But I've enabled logging in the when SERVER_CONNECTED block and it's not logging anything. I don't think I have proxy protocol enabled correctly.reboot
- hooleylistCirrostratus
This might be slightly more efficient than the original versions:
when SERVER_CONNECTED { TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\r\n" }
- Andrew-F5Employee
If you're curious what this looks like in a packet capture where you do SSL re-encrypt on the virtual server, terminate SSL at the F5 then re-encrypt HTTPS to the pool members, the data is within a server side packet after the three way handshake with PSH and ACK flags set.
The data is hex encoded but if you right click the PSH,ACK packet and follow stream wireshark will decode it or you can use another resource.
Here's what the proxyheader looks like: PROXY TCP4 192.168.x.x 10.x.x.x 50299 443
- RGAndrewMNimbostratus
Has this been confirmed to work in BIGIP versions > 11.6?
- Bernd_MayNimbostratus
So far it works on BIG-IP 14.1.2.2 Build 0.30.4
- CDubNimbostratus
We implemented the solution on a LTM 13.1 VLB and the Virtual Server stopped working with a "PR_END_OF_FILE_ERROR" shown in the browser. The LB is configured not to unload SSL.
The backend server logs does not have any entries so it looks like traffic does not reach the backend servers.
Inspection of logs in VLB /var/log does not show anything related. Are there other logs or tools we can use to see what is causing the Virtual Server to stop responding?
thanks
- shubesNimbostratus
In configurations where non-default Route Domains are used, IP::remote_addr and IP::local_addr get the %rd identifier appended to the IP address, which is invalid in the ha proxy protocol. In order to remedy this, you can use the getfield iRule function to strip off the %rd. Using this function should be ok whether or not Route Domains are in use. Here's how that looks:
set proxyheader "PROXY TCP[IP::version] [getfield [IP::remote_addr] "%" 1] [getfield [IP::local_addr] "%" 1] [TCP::remote_port] [TCP::local_port]\r\n"
This worked for me with smtp going to postfix. (See postfix configuration above)