How to Configure Advanced (Proxy)

 

Description

• Advanced configuration options for new Proxies or Applications in Proxy / App Management section of Portal. Available options vary by selected Service.
• More details on Proxy / App config:
  • How to Configure a Proxy for HTTP / SSL HTTP / WAF Proxy Service Type
  • How to Configure a Proxy for TCP / UDP / DNS Service Type
• Links to other Application Configuration options in Related Content

 

Environment

• Silverline WAF
• Silverline DDoS Protection
• Proxies / Proxy
  • HTTP Redirect / SSL HTTP / WAF
  • TCP / UDP / DNS Service

 

Procedures

Advanced Options

• Load Balancing Method
• TCP Optimization Profile
• Client Connection Idle Timeout
• Insert X-Forwarded-For Header
• Multiplex HTTP(s) Requests to Server
• Alternative Trusted Source Header
• HTTP(S) Object Cache
• Use Cookie Persistence

 

Load Balancing Method

Note: This option only appears if you’ve added more than one back end server during Configuration of Applications or Proxies.

Load Balancing Method determines the priority order of back-end servers when the proxy is attempting to connect.

• For some methods, the priority order is considered. Set the priority order by dragging-and-dropping the Back End IPs/FQDNs on the Proxy Configuration page. Top of the list is higher priority than lower in list.
• (above image: This proxy has more than 1 Back End IP set up on the Proxy Configuration page.)

The load balancing method is also used when the DNS lookup for the back-end server's FQDN returns more than one IP address. 

Load Balancing Method Options

• Default is Round Robin (RR): The system passes each new connection request to the next back end server in line, eventually distributing connections evenly across the array of machines being load balanced.
• Priority Group Activation (PGA): Connections are first distributed to the first back-end server (highest priority) listed on the individual proxy's Front End and Back End IP configuration section (Note: You can drag-and-drop to change the priority order: Top of the list is higher priority than lower in list.) If the first backend server fails, traffic is directed to the second backend server in the list.
• Least Connections (LCON): The system passes a new connection to the node that has the least number of current connections in your list of backend IP addresses.
• Observed: Observed method tracks the number of Layer 4 connections to each backend server over time and creates a ratio for load balancing.
• Predictive: Similar to the Observed method with an additional calculation that measures the trend in server performance. If the trend shows an improved performance of a server it will get more connections.

 

TCP Optimization Profile

The TCP profile allows you to specify how a BIG-IP virtual server processes TCP traffic. The options are Legacy, Modern, or Mobile, which are based on BIG-IP TCP profiles.

More details here: Q&A: What Are The Differences Between the TCP Optimization Profiles on my Proxy?

 

Client Connection Idle Timeout

If client doesn't interact with the application/site for x amount of time, then Silverline proxy resets the connection

• Client Connection Idle Timeout - this setting configures the time in seconds for x
• Default time: 60 seconds
• How to Modify the Client Connection Idle Timeout

  

Insert X-Forwarded-For Header

If the "Insert X-Forwarded-For Header" checkbox is checked, the X-Forwarded-For header will be added via the request header to the backend:

User-Agent: Wget/1.14 (darwin12.4.0)
 Accept: */*
 Host: www.customer.com
 Connection: Keep-Alive
 X-Forwarded-For: 1.1.1.1
 Via: 1.1 sjc1-44

If an X-Forwarded-For variable is received by the Silverline infrastructure, a new X-Forwarded-For header is simply added:

User-Agent: Wget/1.14 (darwin12.4.0)
 Accept: */*
 Host: www.customer.com
 Connection: Keep-Alive
 X-Forwarded-For: 1.1.1.1
 X-Forwarded-For: 2.2.2.2
 Via: 1.1 sjc1-44

 

If required by the customer, Silverline can modify the above behavior by implementing iRules.

Option 1: Append the IP to the existing X-Forwarded-For header.

Sample iRule:

when HTTP_REQUEST { 
    if {[HTTP::header exists X-Forwarded-For]}{ 
        HTTP::header replace X-Forwarded-For "[HTTP::header X-Forwarded-For], [IP::client_addr]" 
    } else { 
        HTTP::header insert X-Forwarded-For [IP::client_addr] 
    } 
 }

Option 2: If an X-Forwarded-For header is received by the Silverline infrastructure, do not add a new X-Forwarded-For header:

Sample iRule:

when HTTP_REQUEST {
   if { !([HTTP::header exists "X-Forwarded-For"])} {
        HTTP::header insert x-Forwarded-For [IP::remote_addr]
   }
 }

 

Multiplex HTTP(s) Requests to Server

This function allows for improved back end server performance by multiplexing concurrent TCP connections into one when communicating with the back-end servers.

 

Alternative Trusted Source Header

If your traffic passes through a CDN or another security provider before reaching Silverline, this is where you put their unique header that identifies the original Source IP. This helps Silverline identify the true source of traffic and make relevant decisions (such as denylisting specific IPs).

If you Enable "Alternative Trusted Source Header,  be sure to disable "Insert XFF."

• Otherwise can lead to Issue like Issue / Solution: L7 DDoS Profile Identifies CDN IP instead of the IP in the Alternative Source Header or XFF HTTP Header

 

HTTP(S) Object Cache

See Proxy Configuration Advanced Options: HTTP(S) Object Cache

 

Use Cookie Persistence

• Q&A: What is Cookie Persistence?
• How to Enable Cookie Persistence

 

Related Content

• Other Configuration Options: 
  • Security Policies
  • Certificates
  • Monitors
  • iRules
  • Ports
  • Advanced
• How to Modify the Client Connection Idle Timeout
• Q&A: What Are The Differences Between the TCP Optimization Profiles on my Proxy?
• Proxy Configuration Advanced Options: HTTP(S) Object Cache
• Q&A: What is Cookie Persistence?
• How to Enable Cookie Persistence