Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Proxy Protocol Initiator

Problem this snippet solves:

iRule Support for BIG-IP sending Proxy header to serverside pool member. (BIG-IP as Proxy Protocol Initiator)

Implements v1 of PROXY protocol at: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt

How to use this snippet:

Add iRule to Virtual Server. Back-end server should accept Proxy header.

Tested on Version:
11.6
Comments on this Snippet
Comment made 08-Sep-2015 by Chad Jenison
Thanks Jason. Note that I didn't focus much effort on performance optimization because the code is only running on connection establishment and not more frequently (example would be every HTTP request).
0
Comment made 10-Jan-2017 by CS 1

What about v2 ? I tried with a PureFTPD backend and that broke the authentication. It seems it's supposed to work (or not break pureftpd, but hopefully work) : https://github.com/joyent/haproxy-1.5/blob/master/doc/proxy-protocol.txt

0
Comment made 10-Jan-2017 by Chad Jenison

At this point I wouldn't expect the iRule to support PROXY protocol v2.

0
Comment made 16-May-2018 by Arun LK 106

I tried this iRule for SSL traffic standard VIP. Where SSL cert is on the server and it does not work. Could anyone assist. Please.

0
Comment made 16-May-2018 by Chad Jenison

I'd imagine this might work, but haven't tested. I'd give it a try and report back to this thread in comments.

when CLIENT_ACCEPTED {
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}

when SERVERSSL_HANDSHAKE {
    SSL::respond $proxyheader
}
0
Comment made 17-May-2018 by Arun LK 106

I placed the iRUle under the standard vip and also for pass through. But, not able to get the client IP addresses.

0
Comment made 22-May-2018 by Arun LK 106

One more thing, is that, in ftp/ssl, the url stop working when we place the iRule. Any assistance is greatly appreciated.

0
Comment made 25-May-2018 by Chad Jenison

arun, the data you're providing in your first comment about not getting client IP addresses isn't clear. it'd be helpful to indicate what you are seeing via packet capture or something. Regarding FTP/SSL; I'm not sure I'd expect things to work in that scenario due to the special characteristics of FTP (two connections).

0
Comment made 24-Jul-2018 by Darren Walker 226

We are trying to implement proxy protocol (for use with RabbitMQ AMQP) and have this irule:

when CLIENT_ACCEPTED{
    set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}
when SERVER_CONNECTED {
TCP::respond $proxyheader
}

But keep receiving a logged error: TCL error: /Common/rabbitMQ_proxy_protocol <SERVER_CONNECTED> - Operation not supported (line 1) invoked from within "TCP::respond $proxyheader"

This page below says that TCP::respond is a valid command for SERVER_CONNECTED. Any ideas? https://devcentral.f5.com/wiki/iRules.SERVER_CONNECTED.ashx

0
Comment made 24-Jul-2018 by Chad Jenison

Darren, that is surprising. Am I correct to assume you have the iRule attached to a Standard mode virtual server?

If so, I'd suggest opening a case with F5 support. While the cannot support the iRule code, the fact that you're getting this execution error on an event that is supported for TCP::respond should be something they can investigate.

1
Comment made 25-Jul-2018 by Darren Walker 226

They had me reboot and I don't have the operation not supported error anymore. But I've enabled logging in the when SERVER_CONNECTED block and it's not logging anything. I don't think I have proxy protocol enabled correctly.

0