cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Chad_Jenison
Nimbostratus
Nimbostratus

Problem this snippet solves:

iRule Support for BIG-IP sending Proxy header to serverside pool member. (BIG-IP as Proxy Protocol Initiator)

Implements v1 of PROXY protocol at: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

How to use this snippet:

Add iRule to Virtual Server. Back-end server should accept Proxy header.

Code :

when CLIENT_ACCEPTED {
    set proxyheader "PROXY "
    if {[IP::version] eq 4} {
        append proxyheader "TCP4 "
    } else {
        append proxyheader "TCP6 "
    }
    append proxyheader "[IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}

when SERVER_CONNECTED {
    TCP::respond $proxyheader
}

### Alternate Optimized Version ###
when CLIENT_ACCEPTED {
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
 
when SERVER_CONNECTED {
    TCP::respond $proxyheader
}

Tested this on version:

11.6
Comments
Chad_Jenison
Nimbostratus
Nimbostratus
Thanks Jason. Note that I didn't focus much effort on performance optimization because the code is only running on connection establishment and not more frequently (example would be every HTTP request).
CSA
Nimbostratus
Nimbostratus

What about v2 ? I tried with a PureFTPD backend and that broke the authentication. It seems it's supposed to work (or not break pureftpd, but hopefully work) : https://github.com/joyent/haproxy-1.5/blob/master/doc/proxy-protocol.txt

 

Chad_Jenison
Nimbostratus
Nimbostratus

At this point I wouldn't expect the iRule to support PROXY protocol v2.

 

Arun_LK_202176
Nimbostratus
Nimbostratus

I tried this iRule for SSL traffic standard VIP. Where SSL cert is on the server and it does not work. Could anyone assist. Please.

 

Chad_Jenison
Nimbostratus
Nimbostratus

I'd imagine this might work, but haven't tested. I'd give it a try and report back to this thread in comments.

 

when CLIENT_ACCEPTED { set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVERSSL_HANDSHAKE { SSL::respond $proxyheader }
Arun_LK_202176
Nimbostratus
Nimbostratus

I placed the iRUle under the standard vip and also for pass through. But, not able to get the client IP addresses.

 

Arun_LK_202176
Nimbostratus
Nimbostratus

One more thing, is that, in ftp/ssl, the url stop working when we place the iRule. Any assistance is greatly appreciated.

 

Chad_Jenison
Nimbostratus
Nimbostratus

arun, the data you're providing in your first comment about not getting client IP addresses isn't clear. it'd be helpful to indicate what you are seeing via packet capture or something. Regarding FTP/SSL; I'm not sure I'd expect things to work in that scenario due to the special characteristics of FTP (two connections).

 

We are trying to implement proxy protocol (for use with RabbitMQ AMQP) and have this irule:

 

when CLIENT_ACCEPTED{ set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVER_CONNECTED { TCP::respond $proxyheader }

But keep receiving a logged error: TCL error: /Common/rabbitMQ_proxy_protocol - Operation not supported (line 1) invoked from within "TCP::respond $proxyheader"

 

This page below says that TCP::respond is a valid command for SERVER_CONNECTED. Any ideas? https://tstdmzdevcentral.olympus.f5net.com/wiki/iRules.SERVER_CONNECTED.ashx

 

Chad_Jenison
Nimbostratus
Nimbostratus

Darren, that is surprising. Am I correct to assume you have the iRule attached to a Standard mode virtual server?

 

If so, I'd suggest opening a case with F5 support. While the cannot support the iRule code, the fact that you're getting this execution error on an event that is supported for TCP::respond should be something they can investigate.

 

They had me reboot and I don't have the operation not supported error anymore. But I've enabled logging in the when SERVER_CONNECTED block and it's not logging anything. I don't think I have proxy protocol enabled correctly.

 

hooleylist
Cirrostratus
Cirrostratus

This might be slightly more efficient than the original versions:

 

when SERVER_CONNECTED { TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\r\n" }
Andrew-F5
F5 Employee
F5 Employee

If you're curious what this looks like in a packet capture where you do SSL re-encrypt on the virtual server, terminate SSL at the F5 then re-encrypt HTTPS to the pool members, the data is within a server side packet after the three way handshake with PSH and ACK flags set.

 

The data is hex encoded but if you right click the PSH,ACK packet and follow stream wireshark will decode it or you can use another resource.

 

Here's what the proxyheader looks like: PROXY TCP4 192.168.x.x 10.x.x.x 50299 443

 

0691T000006BEUBQA4.png

RGAndrewM
Nimbostratus
Nimbostratus

Has this been confirmed to work in BIGIP versions > 11.6?

Bernd_May
Nimbostratus
Nimbostratus

So far it works on BIG-IP 14.1.2.2 Build 0.30.4 

CDub
Nimbostratus
Nimbostratus

We implemented the solution on a LTM 13.1 VLB and the Virtual Server stopped working with a "PR_END_OF_FILE_ERROR" shown in the browser. The LB is configured not to unload SSL.

 

The backend server logs does not have any entries so it looks like traffic does not reach the backend servers.

Inspection of logs in VLB /var/log does not show anything related. Are there other logs or tools we can use to see what is causing the Virtual Server to stop responding?

thanks

Version history
Last update:
‎02-Sep-2015 09:09
Updated by:
Contributors