Forum Discussion

Lukas_Ziegler's avatar
Lukas_Ziegler
Icon for Nimbostratus rankNimbostratus
Jun 04, 2020

Proxy Protocol via iRule --> how to implement v2

We are trying to implement proxy protocol (for use with SAP Web Dispatcher) and have this irule:

when CLIENT_ACCEPTED {
   set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"
}

when SERVER_CONNECTED {
   TCP::respond $proxyheader
}

It's working perfectly fine, which we checked via tcpdump.

Problem is that we need Proxy protocol version 2 (binary header format) for the SAP solution.

Is there any way to make the F5 Big-IP Proxy Protocol Initiator for version 2?

  • Hi,

    I have no experience on that, but I find this:

    https://support.f5.com/csp/article/K40512493

    http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

    https://github.com/ably/proxy-protocol-v2

     

    Are you working with IPv4 and TCP ?

    Maybe this:

    when CLIENT_ACCEPTED {
    # Protocol signature
        set headerHex "0d0a0d0a000d0a515549540a"
    # As Local
        append headerHex "20"
    # IPv4 and TCP
        append headerHex "11"
    # Length 22
        append headerHex "0c00" 
    # Source IPv4 as Hex
        foreach oct [split [IP::remote_addr] "."] {
            append headerHex [format %02x $oct]
        }
    # Dest IPv4 as Hex
        foreach oct [split [IP::local_addr] "."] {
            append headerHex [format %02x $oct]
        }
    # Source port as Hex
        append headerHex [format %04x [TCP::remote_port]]
    # Dest port as Hex
        append headerHex [format %04x [TCP::local_port]]
    }
    when SERVER_CONNECTED {
        # Write header as byte
        TCP::respond [binary format H* $headerHex]
    }

    Please, permit me to be wrong with that example code when it is just a shot.

    If necessary, I think you can run proxy-protocol-v2 as node.js libraries in iRuleLX.

     

    Kind regards.

  • Hi, thanks for your answer.

    I tried your iRule, but with that enabled there is no communication at all.

    We are using https virtual server. As we do not want to terminate the SSL traffic on the F5, we can't use the x-forwarded-for. That's why we wanted to use proxy protocol. (which is working fine from F5 side for v1, but SAP side does only support v2).

    I'm happy about any other opinions or ideas.

     

    Kind regards.

  • I did, but this is for proxy protocol receiver. What I need is the F5 to be the Initiator, so to provide the end-system with the actual client IP address, and not to receive proxy protocol messages.

  • Can you please share your vip configuration details and the iRule details so that we can see the issue closely.

    Also are you using RabbitMQ instances

     

    If yes then you need

     

    To enable this support on an F5 LTM, perform the following steps:

     

    Enable proxy_protocol on your RabbitMQ instances.

     

    {rabbit,[

         {proxy_protocol, true}

    ]}

     

    On the F5 appliance, create an iRule with the following contents:

     

    when CLIENT_ACCEPTED {

        set proxyheader "PROXY TCP[IP::version] [IP::remote_addr] [IP::local_addr] [TCP::remote_port] [TCP::local_port]\r\n"

    }

     

    when SERVER_CONNECTED {

        TCP::respond $proxyheader

    }

     

    https://devcentral.f5.com/codeshare/proxy-protocol-initiator

     

    Apply this iRule to your AMQP Virtual Server(s). Note, this does require a TCP profile to be applied, so a 'Standard' Virtual Server will need to be used.

     

    That's it! You should now see your client connection information!

     

    Without Proxy Protocol enabled

    (This IP is within the snat pool on the virtual server)