cancel
Showing results for 
Search instead for 
Did you mean: 

Proxy Protocol via iRule --> how to implement v2

Lukas_Ziegler
Nimbostratus
Nimbostratus

We are trying to implement proxy protocol (for use with SAP Web Dispatcher) and have this irule:

when CLIENT_ACCEPTED {    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n" } when SERVER_CONNECTED {    TCP::respond $proxyheader }

It's working perfectly fine, which we checked via tcpdump.

Problem is that we need Proxy protocol version 2 (binary header format) for the SAP solution.

Is there any way to make the F5 Big-IP Proxy Protocol Initiator for version 2?

6 REPLIES 6

cjunior
Nacreous
Nacreous

Hi,

I have no experience on that, but I find this:

https://support.f5.com/csp/article/K40512493

http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

https://github.com/ably/proxy-protocol-v2

 

Are you working with IPv4 and TCP ?

Maybe this:

when CLIENT_ACCEPTED { # Protocol signature set headerHex "0d0a0d0a000d0a515549540a" # As Local append headerHex "20" # IPv4 and TCP append headerHex "11" # Length 22 append headerHex "0c00" # Source IPv4 as Hex foreach oct [split [IP::remote_addr] "."] { append headerHex [format %02x $oct] } # Dest IPv4 as Hex foreach oct [split [IP::local_addr] "."] { append headerHex [format %02x $oct] } # Source port as Hex append headerHex [format %04x [TCP::remote_port]] # Dest port as Hex append headerHex [format %04x [TCP::local_port]] } when SERVER_CONNECTED { # Write header as byte TCP::respond [binary format H* $headerHex] }

Please, permit me to be wrong with that example code when it is just a shot.

If necessary, I think you can run proxy-protocol-v2 as node.js libraries in iRuleLX.

 

Kind regards.

Lukas_Ziegler
Nimbostratus
Nimbostratus

Hi, thanks for your answer.

I tried your iRule, but with that enabled there is no communication at all.

We are using https virtual server. As we do not want to terminate the SSL traffic on the F5, we can't use the x-forwarded-for. That's why we wanted to use proxy protocol. (which is working fine from F5 side for v1, but SAP side does only support v2).

I'm happy about any other opinions or ideas.

 

Kind regards.

Sachin-Garg
Altostratus
Altostratus

Lukas_Ziegler
Nimbostratus
Nimbostratus

I did, but this is for proxy protocol receiver. What I need is the F5 to be the Initiator, so to provide the end-system with the actual client IP address, and not to receive proxy protocol messages.

Sachin-Garg
Altostratus
Altostratus

Can you please share your vip configuration details and the iRule details so that we can see the issue closely.

Also are you using RabbitMQ instances

 

If yes then you need

 

To enable this support on an F5 LTM, perform the following steps:

 

Enable proxy_protocol on your RabbitMQ instances.

 

{rabbit,[

     {proxy_protocol, true}

]}

 

On the F5 appliance, create an iRule with the following contents:

 

when CLIENT_ACCEPTED {

    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"

}

 

when SERVER_CONNECTED {

    TCP::respond $proxyheader

}

 

https://devcentral.f5.com/codeshare/proxy-protocol-initiator

 

Apply this iRule to your AMQP Virtual Server(s). Note, this does require a TCP profile to be applied, so a 'Standard' Virtual Server will need to be used.

 

That's it! You should now see your client connection information!

 

Without Proxy Protocol enabled

(This IP is within the snat pool on the virtual server)

 

 

Sachin-Garg
Altostratus
Altostratus