PROXY Protocol Support
By default, Avi Service Engines (SEs) source-NAT (SNAT) the traffic destined to servers. Due to SNAT, logs on the application servers will show the layer 3 IP address of the SE rather than the original client’s IP address.
Protocol extensions such as “X-Forwarded-For” header for HTTP require knowledge of the underlying protocol (such as HTTP). For layer 4 applications, Avi Vantage supports versions 1 (human-readable format) and version 2 (binary format) of the PROXY protocol (PROXY protocol spec), which conveys the original connection parameters, such as the client IP address, to the back-end servers. For layer 4 SSL applications, version 1 is supported. The Avi SE requires no knowledge of the encapsulated protocol. The impact on performance caused by processing of transported information is very minimal.
Note: For applications served over SSL, the server needs to be configured to accept proxy protocol, otherwise the SSL handshake may fail.
PROXY protocol spec format:
PROXY TCP4 (real source address) (proxy address) (TCP source port) (TCP destination port) (CRLF sequence)
Example V1 PROXY protocol line:
PROXY TCP4 18.104.22.168 22.214.171.124 31646 80\r\n
Applications must be written to grab the IP address embedded within the PROXY header embedded in the TCP options. See the PROXY protocol spec for documentation to add this capability to an application.
Configuring PROXY Protocol via UI
The following are the steps to configure PROXY protocol via UI:
- Navigate to Template > Profiles.
- Within the Application tab, select System-L4-Application.
- For Type, select L4, as shown below.
- Click Enable PROXY Protocol.
- Select which version is desired.
- When finished changing the profile, click on Save.
The profile change affects any virtual services that use the same L4 application profile.
Configuring PROXY Protocol via CLI
The following sequence of CLI commands enable PROXY protocol support and protocol version to be used.
|: > configure applicationprofile System-L4-Application
: applicationprofile> tcp_app_profile
: applicationprofile:tcp_app_profile> proxy_protocol_enabled
: applicationprofile:tcp_app_profile> proxy_protocol_version proxy_protocol_version_1
: applicationprofile:tcp_app_profile> save
: applicationprofile> save
IPv6 Support for PROXY Protocol
Starting with NSX Advanced Load Balancer release 20.1.5, IPv6 addresses is also supported for the PROXY protocol. IPv6 address can be sent in the PROXY header. The following is the format for the PROXY header:
PROXY TCP6 (real source IPv6 address) (proxy IPv6 address) (TCP source port) (TCP destination port) (CRLF sequence)
The following is an example with IPv6 addresses as the source IPv6 address and the proxy IPv6 addresses.
PROXY TCP6 3ffe::1:600:f8ff:ff95:50df 2001::9d38:6ab8:1d49:4c1a:b94b:d2c1 31646 80\r\n
All the features which are applicable or valid for IPv4 address, still applicable with these changes also.