Proxy Protocol Initiator
Problem this snippet solves:
iRule Support for BIG-IP sending Proxy header to serverside pool member. (BIG-IP as Proxy Protocol Initiator)
Implements v1 of PROXY protocol at: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
How to use this snippet:
Add iRule to Virtual Server. Back-end server should accept Proxy header.
Code :
when CLIENT_ACCEPTED {
set proxyheader "PROXY "
if {[IP::version] eq 4} {
append proxyheader "TCP4 "
} else {
append proxyheader "TCP6 "
}
append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}
### Alternate Optimized Version ###
when CLIENT_ACCEPTED {
set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}Tested this on version:
11.6
NimbostratusNimbostratus17 Comments
Arun_LK_202176One more thing, is that, in ftp/ssl, the url stop working when we place the iRule. Any assistance is greatly appreciated.
- Arun_LK_202176
I placed the iRUle under the standard vip and also for pass through. But, not able to get the client IP addresses.
Chad_JenisonI'd imagine this might work, but haven't tested. I'd give it a try and report back to this thread in comments.
when CLIENT_ACCEPTED { set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVERSSL_HANDSHAKE { SSL::respond $proxyheader }- Arun_LK_202176
I tried this iRule for SSL traffic standard VIP. Where SSL cert is on the server and it does not work. Could anyone assist. Please.
- Chad_Jenison
At this point I wouldn't expect the iRule to support PROXY protocol v2.
CSAWhat about v2 ? I tried with a PureFTPD backend and that broke the authentication. It seems it's supposed to work (or not break pureftpd, but hopefully work) : https://github.com/joyent/haproxy-1.5/blob/master/doc/proxy-protocol.txt
- Chad_JenisonThanks Jason. Note that I didn't focus much effort on performance optimization because the code is only running on connection establishment and not more frequently (example would be every HTTP request).