Proxy Protocol via iRule --> how to implement v2

Lukas_Ziegler · ‎04-Jun-2020

We are trying to implement proxy protocol (for use with SAP Web Dispatcher) and have this irule:

when CLIENT_ACCEPTED {
   set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}

when SERVER_CONNECTED {
   TCP::respond $proxyheader
}

It's working perfectly fine, which we checked via tcpdump.

Problem is that we need Proxy protocol version 2 (binary header format) for the SAP solution.

Is there any way to make the F5 Big-IP Proxy Protocol Initiator for version 2?

cjunior · ‎04-Jun-2020

Hi,

I have no experience on that, but I find this:

https://support.f5.com/csp/article/K40512493

http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

https://github.com/ably/proxy-protocol-v2

Are you working with IPv4 and TCP ?

Maybe this:

when CLIENT_ACCEPTED {
# Protocol signature
    set headerHex "0d0a0d0a000d0a515549540a"
# As Local
    append headerHex "20"
# IPv4 and TCP
    append headerHex "11"
# Length 22
    append headerHex "0c00" 
# Source IPv4 as Hex
    foreach oct [split [IP::remote_addr] "."] {
        append headerHex [format %02x $oct]
    }
# Dest IPv4 as Hex
    foreach oct [split [IP::local_addr] "."] {
        append headerHex [format %02x $oct]
    }
# Source port as Hex
    append headerHex [format %04x [TCP::remote_port]]
# Dest port as Hex
    append headerHex [format %04x [TCP::local_port]]
}
when SERVER_CONNECTED {
    # Write header as byte
    TCP::respond [binary format H* $headerHex]
}

Please, permit me to be wrong with that example code when it is just a shot.

If necessary, I think you can run proxy-protocol-v2 as node.js libraries in iRuleLX.

Kind regards.

Lukas_Ziegler · ‎04-Jun-2020

Hi, thanks for your answer.

I tried your iRule, but with that enabled there is no communication at all.

We are using https virtual server. As we do not want to terminate the SSL traffic on the F5, we can't use the x-forwarded-for. That's why we wanted to use proxy protocol. (which is working fine from F5 side for v1, but SAP side does only support v2).

I'm happy about any other opinions or ideas.

Kind regards.

Sachin-Garg · ‎05-Jun-2020

Please try reading this link:

https://devcentral.f5.com/s/articles/proxy-protocol-receiver

Lukas_Ziegler · ‎05-Jun-2020

I did, but this is for proxy protocol receiver. What I need is the F5 to be the Initiator, so to provide the end-system with the actual client IP address, and not to receive proxy protocol messages.

Sachin-Garg · ‎05-Jun-2020

Can you please share your vip configuration details and the iRule details so that we can see the issue closely.

Also are you using RabbitMQ instances

If yes then you need

To enable this support on an F5 LTM, perform the following steps:

Enable proxy_protocol on your RabbitMQ instances.

{rabbit,[

{proxy_protocol, true}

]}

On the F5 appliance, create an iRule with the following contents:

when CLIENT_ACCEPTED {

set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"

}

when SERVER_CONNECTED {

TCP::respond $proxyheader

}

https://devcentral.f5.com/codeshare/proxy-protocol-initiator

Apply this iRule to your AMQP Virtual Server(s). Note, this does require a TCP profile to be applied, so a 'Standard' Virtual Server will need to be used.

That's it! You should now see your client connection information!

Without Proxy Protocol enabled

(This IP is within the snat pool on the virtual server)

Sachin-Garg · ‎05-Jun-2020

Check this link:

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-http2-full-proxy-configu...

DevCentral

Proxy Protocol via iRule --> how to implement v2

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

Proxy Protocol via iRule --> how to implement v2

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards