This section explains the Proxy protocol support for the Avi Load Balancer.

By default, Avi Load Balancer SE source-NAT (SNAT) is the traffic destined to servers. Due to SNAT, application server logs will show the layer 3 IP address of the SE rather than the original client’s IP address.

Protocol extensions such as the X-Forwarded-For header for HTTP require knowledge of the underlying protocol (such as HTTP). For layer 3 applications, Avi Load Balancer supports version 1 (human-readable format) and version 2 (binary format) of the Proxy protocol (Proxy protocol specification), which conveys the original connection parameters, such as the client IP address, to the back-end servers. For layer 4 SSL applications, version 1 is supported. The Avi Load Balancer SE requires no knowledge of the encapsulated protocol, and the impact on performance caused by the processing of transported information is minimal.

Note:

For applications served over SSL, the server must be configured to accept proxy protocol, otherwise the SSL handshake may fail.

Proxy protocol spec format:

PROXY TCP4 (real source address) (proxy address) (TCP source port) (TCP destination port) (CRLF sequence)

Example V1 PROXY protocol line:

PROXY TCP4 12.97.16.194 136.179.21.69 31646 80\r\n

Application Support

Applications must be configured to capture the IP address embedded within the proxy header, which is in turn embedded in the TCP options. For more information, see PROXY protocol spec.

Configuring Proxy Protocol through UI

The following are the steps to configure PROXY protocol through UI:



  1. Navigate to Template > Profiles.

  2. Within the Application tab, edit System-L4-Application.

  3. For Type, select L4.

  4. Select the Enable PROXY Protocol check box.

  5. Select the desired version.

  6. Click SAVE.

Note:

TCP Proxy Protocol is supported (Enable PROXY Protocol is selected) when an L4 application profile is used as an override application profile.

Configuring Proxy Protocol through CLI

The following sequence of CLI commands enable PROXY protocol support and protocol version to be used.

configure applicationprofile System-L4-Application
applicationprofile> tcp_app_profile
applicationprofile:tcp_app_profile> proxy_protocol_enabled
applicationprofile:tcp_app_profile> proxy_protocol_version proxy_protocol_version_1
applicationprofile:tcp_app_profile> save
applicationprofile> save

IPv6 Support for Proxy Protocol

Proxy protocol supports IPv6 addresses. IPv6 address can be sent in the Proxy header. The following is the format for the PROXY header:

PROXY TCP6 (real source IPv6 address) (proxy IPv6 address) (TCP source port) (TCP destination port) (CRLF sequence)

The following is an example with IPv6 addresses as the source IPv6 address and the proxy IPv6 addresses.

PROXY TCP6 3ffe::1:600:f8ff:ff95:50df 2001::9d38:6ab8:1d49:4c1a:b94b:d2c1 31646 80\r\n

All the features which are applicable or valid for IPv4 address, still applicable with these changes also.