Proxy protocol

Citrix ADC uses Proxy protocol for safely transporting client connection information from client to server across Citrix ADC appliances in the proxy layer. The appliance adds a proxy protocol header to insert the client side details and forward it to appliances and then to the back-end server. Following are some of the usage scenarios for proxy protocol in a Citrix ADC appliance.

  • Learning original client IP address
  • Selecting a language for a website
  • Blacklisting selected IP addresses
  • Logging and collecting statistics.

How proxy protocol works in a Citrix ADC appliance

The following diagram shows how Proxy protocol configured in a Citrix ADC appliance:

localized image

The component interact is as follows:

  • A client sends an HTTP request to Citrix ADC.
  • At Citrix ADC 1 instance, if proxy protocol is disabled on load balancing virtual server (VIP) and enabled on the service (SNIP) it is an Insert operation.
  • In Insert operation, Citrix ADC 1 adds a proxy header with client connection details and forwards it to Citrix ADC 2 appliance.
  • At Citrix ADC 2, it is a Forward operation. The proxy protocol is enabled on load balancing virtual server and enabled on the service. The appliance receives the proxy header and forwards the header details to the Citrix ADC 3 appliance.
  • At Citrix ADC 3, it can either be a Forward or Stripped operation. For Forward, the proxy protocol is enabled on the load balancing virtual server and on the service. The appliance receives the proxy header and forwards the header details to the origin server.
  • If the operation is Stripped, the Proxy protocol is enabled on load balancing virtual server and disabled on the service. The appliance receives the Proxy header details and stores it for audit logging or statistics.
  • If the proxy header details are in invalid format, the appliance resets the connection.
  • On the receiving side, based on proxy protocol data, the appliance decides the proxy protocol version. There are two versions, Proxy Protocol Version-1 and Proxy Protocol Version-2.
  • On the sending side, the appliance decides the proxy protocol version based on CLI configuration.

Proxy protocol version formats

The Proxy protocol version is available as two formats. The appliance decides to use a format based on the incoming data length.

  1. Proxy protocol version-1 format PROXY TCP4/TCP6/UNKNOWN <SRC IP> <DST IP> <SRC PORT> <DST PORT>
    • PROXY -> Unique string format for Proxy header version -1.
    • Support protocols TCP over IPv4 and TCP over IPv6. For remaining protocols, this is UNKNOWN.
    • SRC IP – Source IP (Original Client IP) address of a packet.
    • DST IP – Destination IP address of a packet.
    • SRC port – Source port of a packet.
    • DST port – Destination port of a packet.
  2. Proxy protocol version-2 format 0D 0A 0D 0A 00 0D 0A 51 55 49 54 0A <13th byte> <14th byte> <15-16th byte> <17th byte onwards>
    • D 0A 0D 0A 00 0D 0A 51 55 49 54 0A -> Unique binary string for Proxy header version -2.
    • Support protocols TCP over IPv4 and TCP over IPv6. For remaining protocols, this is UNKNOWN.
    • 13th byte – protocol version and command.
    • 14th byte – address and protocol family.
    • 15-16th byte – Address length in network order.
    • 17th byte onwards – Addresses info present in network order- src IP, dst IP, src port, dst port.

Configure Proxy protocol in Citrix ADC appliance

Following the procedure given below to configure Proxy protocol in your Citrix ADC appliance.

  1. Enable Proxy protocol as global.
  2. Configure Proxy protocol for Insert operation
  3. Configure Proxy protocol for Forward operation
  4. Configure Proxy protocol for Strip operation
  5. Configure Proxy protocol for no operation

Enable Proxy protocol as global

At the command prompt, type the following:

set ns param –proxyProtocol ENABLED

Configure Proxy protocol for Insert operation

At the command prompt, type the following: To configure proxy protocol for Insert operation, you must enable or disable the protocol on the load balancing virtual server and enable it on the service.

Add net profile with Proxy protocol disabled for load balancing virtual server

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

Add netprofile proxyprofile-1 –proxyProtocol DISABLED –proxyprotocoltxversion V1

Note

If you disable proxy protocol on your appliance, you need not set the protocol version parameter.

Add net profile with Proxy protocol enabled for service

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-2 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add load balancing virtual server for Citrix ADC appliance 1 in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-1 http 1.1.1.1 80

Add HTTP service for Citrix ADC appliance 1 in the proxy layer

At the command prompt, type the following:

add service <name>@ (<IP>@ | <serverName>@) <serviceType> <port>

Example:

Add service http-service-1 2.2.2.1 http 80

Set net profile with load balancing virtual server in Citrix ADC appliance 1

At the command prompt, type the following:

set lb vserver <vserver name> -netprofile <name>

Example:

set lb vserver lbvserver-1 –netprofile proxyProfile-1

Bind net profile with HTTP service in Citrix ADC appliance 1

At the command prompt, type the following:

bind service <service name> –netprofile <name>

Example:

bind service http-service-1 –netprofile proxyProfile-1

Configure Proxy protocol for Forward operation

To configure proxy protocol for Forward operation for the next Citrix ADC instance in the proxy layer. You must enable or disable the protocol and bind to the virtual server or service.

Add net profile with Proxy protocol enabled for load balancing virtual server

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-3 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add net profile with Proxy protocol enabled for service

At the command prompt, type the following: add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-4 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add load balancing virtual server for Citrix ADC appliance 2 in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-2 http 2.2.2.2 80

Add HTTP service for Citrix ADC appliance 2 in the proxy layer

At the command prompt, type the following:

add service <name>@ (<IP>@ | <serverName>@) <serviceType> <port>

Example:

Add service http-service-2 3.3.3.1 http 80

Set net profile with load balancing virtual server in Citrix ADC appliance 2

At the command prompt, type the following:

set lb vserver <vserver name> -netprofile <name>

Example:

set lb vserver lbvserver-2 –netprofile proxyProfile-3

Set net profile with HTTP service in Citrix ADC appliance 2

At the command prompt, type the following:

set service <service name> –netprofile <name>

Example:

set service http-service-2 –netprofile proxyProfile-4

Configure Proxy protocol for Strip operation

To configure proxy protocol for Strip operation, you must disable the proxy protocol on the load balancing virtual server and enable the proxy protocol on the service.

Add net profile with Proxy protocol disabled for load balancing virtual server

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

`add netprofile proxyprofile-5 –proxyProtocol DISABLED –proxyprotocoltxversion V1

Add net profile with Proxy protocol enabled for service

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-5 –proxyProtocol DISABLED –proxyprotocoltxversion V1

Note

If you disable proxy protocol on your appliance, you need not set the protocol version parameter.

Add load balancing virtual server for Citrix ADC appliance 2 in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-3 http 2.2.2.2 80

Add HTTP service for Citrix ADC appliance 2 in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-3 http 2.2.2.2 80

Set net profile with load balancing virtual server in Citrix ADC appliance 2

At the command prompt, type the following:

add service <name>@ (<IP>@ | <serverName>@) <serviceType> <port>

Example: add service http-service-3 3.3.3.1 http 80

Set net profile with HTTP service in Citrix ADC appliance 2

At the command prompt, type the following:

set lb vserver <vserver name> -netprofile <name>

Example:

set lb vserver lbvserver-3 –netprofile proxyProfile-5

Configure Proxy protocol for no operation

To configure proxy protocol for no operation, you must disable the proxy protocol on virtual server and also on the service.

Add net profile with Proxy protocol enabled for load balancing virtual server

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-3 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add net profile with Proxy protocol enabled for service

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-4 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add load balancing virtual server for Citrix ADC appliance 2 in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-2 http 2.2.2.2 80

Add HTTP service for Citrix ADC appliance 2 in the proxy layer

At the command prompt, type the following:

add service <name>@ (<IP>@ | <serverName>@) <serviceType> <port>

Example:

add service http-service-2 3.3.3.1 http 80

Set netprofile with load balancing virtual server in Citrix ADC appliance 2

At the command prompt, type the following:

set lb vserver <vserver name> -netprofile <name>

Example:

set lb vserver lbvserver-2 –netprofile proxyProfile-3

Set net profile with HTTP service in Citrix ADC appliance 2

At the command prompt, type the following:

set service <service name> –netprofile <name>

Example:

set service http-service-2 –netprofile proxyProfile-4

Configure Proxy protocol by using Citrix ADC GUI

  1. Navigate to System > Settings > Change Global System Settings.
  2. In the Configure Global System Settings Parameters page, select Proxy Protocol checkbox.
  3. Click OK and Close.

    localized image

  4. Navigate to System > Network > Net Profiles.
  5. In the details pane, click Add to create a net profile for the load balancing virtual server.
  6. In the Net Profile page, set the following parameters:
    1. Name. Name of the net profile.
    2. Traffic Domain. Add or select the default traffic domain or a different one to configure the entity.
    3. IP address. IP address of the virtual server network.
    4. Enable Source IP Persistency. Same address specified in the net profile to communicate to servers for all sessions initiated from a particular client to the virtual server.
    5. Override LSN. USNIP or USIP settings override LSN settings for configured service or virtual server traffic.
    6. Proxy Protocol. Enable or disable proxy protocol for the load balancing virtual server.
    7. Proxy Protocol TX Version. Set proxy protocol version as V1 or V2 based on incoming data format.
    8. MBF. Disable MAC based forwarding mode.
    9. Source Port Range. Enter the source port range. Based on the range, the appliance chooses a port from the range to establish connection with the back-end servers.
  7. Click OK.

    localized image

  8. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  9. In the details pane, click Add.
  10. In the Load Balancing Virtual Server page, the set the basic parameters.
  11. In the Advanced Settings **section, select **Profiles.
  12. In the Profiles section, click the pencil icon.
  13. Select a net profile and click OK.
  14. Click Done.

    localized image

  15. Navigate to Traffic Management > Load Balancing > Services.
  16. In the details pane, click Add.
  17. In the Load Balancing Service page, set the basic parameters.
  18. In the Advanced Settings section, select Profiles.
  19. In the Profiles section, click the pencil icon.
  20. Select a net profile and click OK.
  21. Click Done.

Note

If you have more than one Citrix ADC appliance as part of the proxy layer, you must set the proxy protocol configuration on each appliance for the Forward operation.

localized image