Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Proxy Protocol Receiver

Problem this snippet solves:

iRule for BIG-IP to receive PROXY protocol (v1 and v2) header in TCP Payload and remove it before forwarding remaining TCP Payload to server side pool member.

How to use this snippet:

Enable iRule on virtual server where upstream proxy will be sending PROXY header.

Testing done using proxied IPv6 and IPv4 HTTP connections from HAProxy using Proxy Protocol v1 and v2. Use of client or server SSL profiles slated for testing and validation since ELB promotes use of Proxy Protocol as a solution for customers that don't want to have ELB terminate HTTPS traffic but do want servers to see original IP addresses.

Tested on Version:
12.0
Comments on this Snippet
Comment made 23-Jan-2017 by Jonathan Jachniuk

very nice irule. i found a problem on it , i needed to change the proxy_string_length to not all the payload but till the first occurrence of \r. like this : set proxy_string_length [string first "\r" [TCP::payload]] 0

Regards,

1
Comment made 23-Jan-2017 by Chad Jenison

I'll update it. Thanks for the catch.

0
Comment made 20-Feb-2017 by Chad Jenison

note that there are a few things people might want atop this iRule: 1) Support for Client SSL on the inbound connections that are using proxy protocol 2) Insertion of Proxy Protocol Source IP address into HTTP X-Forwarded-For header on server side 3) "Spoofing" of Proxy Protocol Source IP by BIG-IP (assuming servers are pointed at BIG-IP as default gateway) on server-side connections.

All of these things should be doable and I'm happy to add them.

0
Comment made 09-Mar-2017 by guyn 0

Would you please share how to implement n.3 ("Spoofing" of Proxy Protocol Source IP)?

0
Comment made 09-Mar-2017 by Chad Jenison

I believe 3) should be as easy as adding the following to the bottom of the code hung off the CLIENT_DATA event, along with a setting of $static::useProxyProtocolSourceForSNAT in "RULE_INIT" to 1.

This syntax validates, but I'll need time to do some testing.

Chad

if {$static::useProxyProtocolSourceForSNAT} {
    if {$srcaddr}{
        snat $srcaddr
    } elseif {$v2_sourceAddress} {
        snat $v2_sourceAddress
    } elseif {$v2_v6sourceAddress} {
        snat $v2_v6sourceAddress
    }
}
0
Comment made 1 month ago by Lucas Barriere 0

Hi everyone,

Using F5 on AWS, I encountered an issue using a Network Load Balancer and therefore ProxyProtocol V2. AWS also specified in the header the id of the vpc endpoint therefore, line 34, the shift of 28 octets is wrong. I had to read the content of the 15th and 16th octets which indicates the size of this payload (variable in size):

binary scan [TCP::payload] @13H2S v2_addressFamilyTransportProtocol v2_remainderLen1

and add this to the size of the initial payload (16 octets):

 set v2_remainderLen "[expr {$v2_remainderLen1 & 0xffff}]"
 set v2_payloadindex "[expr $v2_remainderLen + 16]"
 #log "Shift de : $v2_payloadshift"
 TCP::payload replace 0 $v2_payloadindex ""

Please forgive my TCL, this is my first time :)

0