Citrix ADC

Proxy protocol

Proxy protocol safely transports client details from client to server across Citrix ADC appliances. The appliance adds a proxy protocol header with client details and forwards it to the back-end server. Following are some of usage scenarios for proxy protocol in a Citrix ADC appliance.

  • Learning original client IP address
  • Selecting a language for a website
  • Blacklisting selected IP addresses
  • Logging and collecting statistics.

Following are the three modes of operation:

  • Insert. The appliance inserts the client details and sends it to the back-end server.
  • Forward. The appliance forwards the client details to the back-end server.
  • Stripped. The appliance stores the client details for logging purpose. Also, if proxy protocol is not supported on the back-end server, sends the client details to the server by using the rewrite policy configuration

Limitations

The proxy protocol feature is not supported in TFO and MultiPath TCP features.

How proxy protocol works in a Citrix ADC appliance

The following flow diagrams show how you can configure Proxy protocol across Citrix ADC appliances for Insert, Forwards, and Stripped operation:

Insert operation

Insert operation

The component interact is as follows:

  • At Citrix ADC instance, you must enable proxy protocol in the netprofile and bind it to the service.
  • In Insert operation, Citrix ADC adds a proxy header with client connection details and forwards it to the back-end server.
  • On the sending side, the appliance decides the proxy protocol version based on CLI configuration.

Forward operation

Forward operation

The component interact is as follows:

  • A client sends a request along with proxy header to Citrix ADC. The appliance dynamically identifies the version.
  • At Citrix ADC appliance, it is a Forward operation. The proxy protocol is enabled on load balancing virtual server or content switching virtual server and enabled on the service. The appliance receives the proxy header and forwards the header details to the back-end server.
  • If the proxy header details are in invalid format, the appliance resets the connection.
  • On the sending side, the appliance decides the proxy protocol version based on CLI configuration.

Stripped operation

Stripped operation

The component interact is as follows:

  • A client sends a request along with a proxy header to the Citrix ADC appliance.
  • At Citrix ADC appliance, if it is a Stripped operation, the appliance forwards the client information obtained from proxy protocol and inserts it into the HTTP header using rewrite policy expressions.
  • The client details such as source IP address, destination IP address, source port, and destination port are added in HTTP header using rewrite policy expressions. The rewrite policy evaluates the expression and if “true,” the corresponding rewrite policy action is triggered. And the client details are forwarded to the back-end server in HTTP header.
  • If the proxy header details are in invalid format, the appliance resets the connection.

Proxy protocol version formats

The Proxy protocol version is available as two formats. The appliance decides to use a format based on the incoming data length. For detailed information, see Proxy Protocol RFP.

  1. Proxy protocol version-1 format

    PROXY TCP4/TCP6/UNKNOWN <SRC IP> <DST IP> <SRC PORT> <DST PORT>

    • PROXY -> Unique string format for Proxy header version -1.
    • Support protocols TCP over IPv4 and TCP over IPv6. For remaining protocols, this is UNKNOWN.
    • SRC IP – Source IP (Original Client IP) address of a packet.
    • DST IP – Destination IP address of a packet.
    • SRC port – Source port of a packet.
    • DST port – Destination port of a packet.
  2. Proxy protocol version-2 format

    0D 0A 0D 0A 00 0D 0A 51 55 49 54 0A <13th byte> <14th byte> <15-16th byte> <17th byte onwards>

    • D 0A 0D 0A 00 0D 0A 51 55 49 54 0A -> Unique binary string for Proxy header version -2.
    • Support protocols TCP over IPv4 and TCP over IPv6. For remaining protocols, this is UNKNOWN.
    • 13th byte – protocol version and command.
    • 14th byte – address and protocol family.
    • 15-16th byte – Address length in network order.
    • 17th byte onwards – Addresses info present in network order- src IP, dst IP, src port, dst port.

Configure Proxy protocol in Citrix ADC appliance

Following the procedure given below to configure Proxy protocol in your Citrix ADC appliance.

  1. Enable proxy protocol as global.
  2. Configure proxy protocol for Insert operation
  3. Configure proxy protocol for Forward operation
  4. Configure proxy protocol for Strip operation
  5. Configure proxy protocol for no operation

Enable proxy protocol as global

At the command prompt, type the following:

set ns param –proxyProtocol ENABLED

Configure proxy protocol for Insert operation

To configure proxy protocol for Insert operation, you must enable or disable the protocol on the load balancing virtual server and enable it on the service.

Add net profile with Proxy protocol disabled for load balancing virtual server

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

Add netprofile proxyprofile-1 –proxyProtocol DISABLED –proxyprotocoltxversion V1

Note:

If you disable proxy protocol on your appliance, you need not set the protocol version parameter.

Add net profile with a proxy protocol enabled for service

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-2 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add load balancing virtual server for Citrix ADC appliance in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-1 http 1.1.1.1 80

Add HTTP service for Citrix ADC appliance in the proxy layer

At the command prompt, type the following:

add service <name>@ (<IP>@ | <serverName>@) <serviceType> <port>

Example:

Add service http-service-1 2.2.2.1 http 80

Set net profile with load balancing virtual server in Citrix ADC appliance

At the command prompt, type the following:

set lb vserver <vserver name> -netprofile <name>

Example:

set lb vserver lbvserver-1 –netprofile proxyProfile-1

Set net profile with HTTP service in Citrix ADC appliance

At the command prompt, type the following:

set service <service name> –netprofile <name>

Example:

set service http-service-1 –netprofile proxyProfile-1

Configure proxy protocol for forward operation

To configure the proxy protocol for Forward operation for the next Citrix ADC instance in the proxy layer. You must enable or disable the protocol and bind to the virtual server or service.

Add net profile with proxy protocol enabled for load balancing virtual server

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-3 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add net profile with proxy protocol enabled for service

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED/DISABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-4 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add load balancing virtual server for Citrix ADC appliance in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-2 http 2.2.2.2 80

Add HTTP service for Citrix ADC appliance in the proxy layer

At the command prompt, type the following:

add service <name>@ (<IP>@ | <serverName>@) <serviceType> <port>

Example:

Add service http-service-2 3.3.3.1 http 80

Set net profile with load balancing virtual server in Citrix ADC appliance

At the command prompt, type the following:

set lb vserver <vserver name> -netprofile <name>

Example:

set lb vserver lbvserver-2 –netprofile proxyProfile-3

Set net profile with HTTP service in Citrix ADC appliance

At the command prompt, type the following:

set service <service name> –netprofile <name>

Example:

set service http-service-2 –netprofile proxyProfile-4

Configure proxy protocol for strip operation

To configure proxy protocol for strip operation, you must disable the proxy protocol on the load balancing virtual server and enable the proxy protocol on the service.

Add net profile with proxy protocol enabled for service

At the command prompt, type the following:

add netprofile <name> -proxyProtocol ENABLED> -proxyprotocoltxversion <V1/V2>

Example:

add netprofile proxyprofile-5 –proxyProtocol ENABLED –proxyprotocoltxversion V1

Add load balancing or content switching virtual server for Citrix ADC appliance in the proxy layer

At the command prompt, type the following:

add lb vserver <name>@ <serviceType> [(<IPAddress>@ <port>)]

Example:

add lb vserver lbvserver-3 http 2.2.2.2 80

Add HTTP service for Citrix ADC appliance in the proxy layer

At the command prompt, type the following:

add service <name>@ (<IP>@ | <serverName>@) <serviceType> <port>

Example:

Add service http-service-3 3.3.3.1 http 80

Set net profile with load balancing or content switching virtual server in Citrix ADC appliance

At the command prompt, type the following:

set lb vserver <vserver name> -netprofile <name>

Example: set lb vserver lbvserver-3 –netprofile proxyProfile-5

Set net profile with HTTP service in Citrix ADC appliance

At the command prompt, type the following:

set service <service name> –netprofile <name>

Example:

set service http-service-3 –netprofile proxyProfile-6

Add rewrite action to forward the HTTP header to back-end server

At the command prompt, type the following:

add rewrite action <name> <type> <target> [<stringBuilderExpr>] [-pattern <expression> | -search <expression>] [-refineSearch <expression>] [-comment <string>]

Add rewrite policy to forward the HTTP header to backend-server

At the command prompt, type the following:

add rewrite policy <name> <rule> <action> [<undefAction>] [-comment <string>] [-logAction <string>]

Bind rewrite policy global or virtual server

At the command prompt, type the following:

bind rewrite global <policyName> <priority> [<gotoPriorityExpression>] [-type <type>] [-invoke (<labelType> <labelName>) ]

Example:

add rewrite action insert_client_ip_act  insert_http_header X-client-IP CLIENT.PROXY.SRCIP_STR
add rewrite policy insert_client_ip_pol true insert_client_ip_act
bind rewrite global insert_client_ip_pol 90 END -type REQ_OVERRIDE
add rewrite action insert_destination_ip_act insert_http_header X-destination-IP CLIENT.PROXY.DSTIP_STR
add rewrite policy insert_destination_ip_pol true insert_destination_ip_act
bind rewrite global insert_destination_ip_pol 90 END -type REQ_OVERRIDE
add rewrite action insert_source_port_act insert_http_header X-source-port CLIENT.PROXY.SRCPORT
add rewrite policy insert_ source_port _pol true insert_source_port_act
bind rewrite global insert_ source_port _pol 90 END -type REQ_OVERRIDE

add rewrite action insert_destination_port_act insert_http_header X-destination-port CLIENT.PROXY.DSTPORT
add rewrite policy insert_destination_port _pol true insert_destination_port_act
bind rewrite global insert_destination_port _pol 90 END -type REQ_OVERRIDE

Configure Proxy protocol by using Citrix ADC GUI

  1. Navigate to System > Settings > Change Global System Settings.
  2. In the Configure Global System Settings Parameters page, select Proxy Protocol check box.
  3. Click OK and Close.

    Proxy protocol page

  4. Navigate to System > Network > Net Profiles.
  5. In the details pane, click Add to create a net profile for the load balancing virtual server.
  6. In the Net Profile page, set the following parameters:
    1. Name. Name of the net profile.
    2. Proxy Protocol. Enable or disable proxy protocol for the load balancing virtual server.
    3. Proxy Protocol TX Version. Set proxy protocol version as V1 or V2 based on incoming data format.
  7. Click OK.

    localized image

  8. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  9. In the details pane, click Add.
  10. In the Load Balancing Virtual Server page, the set the basic parameters.
  11. In the Advanced Settings section, select Profiles.
  12. In the Profiles section, click the pencil icon.
  13. Select a net profile and click OK.
  14. Click Done.

    localized image

  15. Navigate to Traffic Management > Load Balancing > Services.
  16. In the details pane, click Add.
  17. In the Load Balancing Service page, set the basic parameters.
  18. In the Advanced Settings section, select Profiles.
  19. In the Profiles section, click the pencil icon.
  20. Select a net profile and click OK.
  21. Click Done.

Note:

If you have more than one Citrix ADC appliance as part of the proxy layer, you must set the proxy protocol configuration on each appliance for the Forward operation.

Proxy protocol configuration

Proxy protocol