PROXY Protocol Support

By default, Avi Service Engines (SEs) source-NAT (SNAT) traffic destined to servers. Due to SNAT, logs on the application servers will show the layer 3 IP address of the SE rather than the original client’s IP address. Protocol extensions such as “X-Forwarded-For” header for HTTP require knowledge of the underlying protocol (such as HTTP). For layer 4 applications, Avi Vantage supports versions 1 (human-readable format) and version 2 (binary format) of the PROXY protocol (PROXY protocol spec), which conveys the original connection parameters, such as the client IP address, to the back-end servers. For layer 4 SSL applications, version 1 is supported. The Avi SE requires no knowledge of the encapsulated protocol. The impact on performance caused by processing of transported information is very minimal.

PROXY protocol spec format:

PROXY TCP4 (real source address) (proxy address) (TCP source port) (TCP destination port) (CRLF sequence)

Example V1 PROXY protocol line:

PROXY TCP4 12.97.16.194 136.179.21.69 31646 80\r\n

Application Support

Applications must be written to grab the IP address embedded within the PROXY header embedded in the TCP options.  See the PROXY protocol spec for documentation to add this capability to an application.

Configuring PROXY Protocol via UI

  1. Navigate to Template > Profiles.
  2. Within the Application tab, select System-L4-Application.
  3. For Type, select L4, as shown below.
  4. Click Enable PROXY Protocol.
  5. Select which version is desired.
  6. When finished changing the profile, click Save.

The profile change affects any virtual services that use the same L4 application profile.

Screen Shot 2016-07-18 at 11.10.53 AM

 

Configuring PROXY Protocol via CLI

The following sequence of CLI commands enable PROXY protocol support and protocol version to be used.

: > configure applicationprofile System-L4-Application

: applicationprofile> tcp_app_profile

: applicationprofile:tcp_app_profile> proxy_protocol_enabled

: applicationprofile:tcp_app_profile> proxy_protocol_version proxy_protocol_version_1

: applicationprofile:tcp_app_profile> save

: applicationprofile> save