Description
- Advanced configuration options for new Proxies or Applications in Proxy / App Management section of Portal. Available options vary by selected Service.
- More details on Proxy / App config:
- Links to other Application Configuration options in Related Content
Environment
- Silverline WAF
- Silverline DDoS Protection
- Proxies / Proxy
Procedures
Advanced Options
- Load Balancing Method
- TCP Optimization Profile
- Client Connection Idle Timeout
- Insert X-Forwarded-For Header
- Multiplex HTTP(s) Requests to Server
- Alternative Trusted Source Header
- HTTP(S) Object Cache
- Use Cookie Persistence
Load Balancing Method
Note: This option only appears if you’ve added more than one back end server during Configuration of Applications or Proxies.
Load Balancing Method determines the priority order of back-end servers when the proxy is attempting to connect.
- For some methods, the priority order is considered. Set the priority order by dragging-and-dropping the Back End IPs/FQDNs on the Proxy Configuration page. Top of the list is higher priority than lower in list.
(above image: This proxy has more than 1 Back End IP set up on the Proxy Configuration page.)
The load balancing method is also used when the DNS lookup for the back-end server's FQDN returns more than one IP address.
Load Balancing Method Options
- Default is Round Robin (RR): The system passes each new connection request to the next back end server in line, eventually distributing connections evenly across the array of machines being load balanced.
- Priority Group Activation (PGA): Connections are first distributed to the first back-end server (highest priority) listed on the individual proxy's Front End and Back End IP configuration section (Note: You can drag-and-drop to change the priority order: Top of the list is higher priority than lower in list.) If the first backend server fails, traffic is directed to the second backend server in the list.
- Least Connections (LCON): The system passes a new connection to the node that has the least number of current connections in your list of backend IP addresses.
- Observed: Observed method tracks the number of Layer 4 connections to each backend server over time and creates a ratio for load balancing.
- Predictive: Similar to the Observed method with an additional calculation that measures the trend in server performance. If the trend shows an improved performance of a server it will get more connections.
TCP Optimization Profile
The TCP profile allows you to specify how a BIG-IP virtual server processes TCP traffic. The options are Legacy, Modern, or Mobile, which are based on BIG-IP TCP profiles.
More details here: Q&A: What Are The Differences Between the TCP Optimization Profiles on my Proxy?
Client Connection Idle Timeout
If client doesn't interact with the application/site for x amount of time, then Silverline proxy resets the connection
- Client Connection Idle Timeout - this setting configures the time in seconds for x
- Default time: 60 seconds
- How to Modify the Client Connection Idle Timeout
Insert X-Forwarded-For Header
If the "Insert X-Forwarded-For Header" checkbox is checked, the X-Forwarded-For header will be added via the request header to the backend:
User-Agent: Wget/1.14 (darwin12.4.0)
Accept: */*
Host: www.customer.com
Connection: Keep-Alive
X-Forwarded-For: 1.1.1.1
Via: 1.1 sjc1-44
If an X-Forwarded-For variable is received by the Silverline infrastructure, a new X-Forwarded-For header is simply added:
User-Agent: Wget/1.14 (darwin12.4.0)
Accept: */*
Host: www.customer.com
Connection: Keep-Alive
X-Forwarded-For: 1.1.1.1
X-Forwarded-For: 2.2.2.2
Via: 1.1 sjc1-44
If required by the customer, Silverline can modify the above behavior by implementing iRules.
Option 1: Append the IP to the existing X-Forwarded-For header.
Sample iRule:
when HTTP_REQUEST {
if {[HTTP::header exists X-Forwarded-For]}{
HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]"
} else {
HTTP::header insert X-Forwarded-For [IP::client_addr]
}
}
Option 2: If an X-Forwarded-For header is received by the Silverline infrastructure, do not add a new X-Forwarded-For header:
Sample iRule:
when HTTP_REQUEST {
if { !([HTTP::header exists "X-Forwarded-For"])} {
HTTP::header insert x-Forwarded-For [IP::remote_addr]
}
}
Multiplex HTTP(s) Requests to Server
This function allows for improved back end server performance by multiplexing concurrent TCP connections into one when communicating with the back-end servers.
Alternative Trusted Source Header
If your traffic passes through a CDN or another security provider before reaching Silverline, this is where you put their unique header that identifies the original Source IP. This helps Silverline identify the true source of traffic and make relevant decisions (such as denylisting specific IPs).
If you Enable "Alternative Trusted Source Header, be sure to disable "Insert XFF."
- Otherwise can lead to Issue like Issue / Solution: L7 DDoS Profile Identifies CDN IP instead of the IP in the Alternative Source Header or XFF HTTP Header
HTTP(S) Object Cache
See Proxy Configuration Advanced Options: HTTP(S) Object Cache
Use Cookie Persistence
Related Content
- Other Configuration Options:
- How to Modify the Client Connection Idle Timeout
- Q&A: What Are The Differences Between the TCP Optimization Profiles on my Proxy?
- Proxy Configuration Advanced Options: HTTP(S) Object Cache
- Q&A: What is Cookie Persistence?
- How to Enable Cookie Persistence