DataPower

 View Only
Expand all | Collapse all

IBM Datapower and "The PROXY Protocol"

  • 1.  IBM Datapower and "The PROXY Protocol"

    Posted Wed May 18, 2022 04:47 AM
    Hello

    Has anyone had any experience with IBM Datapower and "The PROXY Protocol": (The Proxy Protocol was designed to chain proxies / reverse-proxies without losing the client information),

    See here:
    • https://www.haproxy.com/de/blog/haproxy/proxy-protocol/
    • https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
    Since our WSG is SSL endpoint, we only see the IP source address of the upstream load balancers, they can't integrate "HTTP X-Forward" in the header since the traffic is encrypted.

    We need to be SSL endpoint as we are checking the client certificate.

    With the "Proxy Protocol" there seems to be a solution to get the real source IP address.

    Many greetings
    Andreas

    ------------------------------
    Andreas Brand
    ------------------------------


  • 2.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Thu May 19, 2022 08:09 AM
    I suppose using AO isn't an option for you?

    ------------------------------
    Joseph Morgan
    ------------------------------



  • 3.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Fri May 20, 2022 02:51 PM
    Hi Joseph

    I'm afraid I don't understand what "AO" is.

    Regards
    Andreas

    ------------------------------
    Andreas Brand
    ------------------------------



  • 4.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Fri May 20, 2022 03:07 PM
    AO is the Application Optimization module allowing you to remove the load balancer in front of your appliances and expose a VIP where the appliances do their own front side load balancing.

    This way, you get the client IP directly.


    ------------------------------
    Joseph Morgan
    ------------------------------



  • 5.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Fri May 20, 2022 03:15 PM
    Hi Joseph

    Thanks for the quick reply :)

    We have already thought about a similar scenario, but at the moment we are in a situation where we have to rely on the load balancers, so to speak force majeure.

    Thanks and have a nice weekend
    Andreas

    ------------------------------
    Andreas Brand
    ------------------------------



  • 6.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Fri May 20, 2022 01:06 AM
    Hi Andreas,

    What is the problem statement here? Why do you need source IP address for SSL endpoint?

    ------------------------------
    Ajitabh Sharma
    ------------------------------



  • 7.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Fri May 20, 2022 03:09 PM
    Hello Ajitabh,
    Thank you for asking:

    The following scenario

    Consumer --> LB L4 (pass throu) --> WSG --> Service
    \--------- encrypted -----------/

    Loadbalancer (LB) provider is another company, they support "proxy protocol".

    • WSG is SSL endpoint, to be able to check consumer's certificate in different cases.
    • we also support ssl connections without certificate (with token), we found consumers using invalid tokens, we want to identify them by ip address -> in http header we see only IP address of loadbalancer
    • the LB can't set "X-Forwarded-For" because the traffic is encrypted.

    Since the loadbalancer provider supports "Proxy Protocol", it would be very helpful if Datapower could do this too. Unfortunately there is no information about this.

    Probably I have to start a request to the support.

    Regards, 
    Andreas

    ------------------------------
    Andreas Brand
    ------------------------------



  • 8.  RE: IBM Datapower and "The PROXY Protocol"

    IBM Champion
    Posted Mon May 23, 2022 02:49 AM
    Hi Andreas,

    so the reason for requiring the client IP is to identify the consumers that are using invalid tokens? How are they invalid? Wrong claims or cannot even be deciphered? 

    ------------------------------
    Hermanni Pernaa
    ------------------------------



  • 9.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Wed May 25, 2022 05:16 AM
    The consumer used an expired token, it is a test user that many external companies are allowed to use. In this case, it would have helped a lot if we had the IP addresses of the source.

    ------------------------------
    Andreas Brand
    ------------------------------



  • 10.  RE: IBM Datapower and "The PROXY Protocol"

    IBM Champion
    Posted Wed May 25, 2022 06:55 AM
    I'm thinking that using a shared user id even in test environment isn't really recommended. It makes proofing any misconduct extremely difficult.
    for example all the clients that I work with have a policy that strictly prohibits of sharing any id's or credentials (event technical ones) between different parties.

    ------------------------------
    Hermanni Pernaa
    ------------------------------



  • 11.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Wed May 25, 2022 07:13 AM
    Hi Hermannii

    You are completely right.

    Nevertheless, the source IP address is very useful, e.g. if the token was "hijacked".

    ------------------------------
    Andreas Brand
    ------------------------------



  • 12.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Mon May 23, 2022 05:42 AM
    • WSG is SSL endpoint, to be able to check consumer's certificate in different cases.
    [Ajitabh]: This is good. I hope you are getting client cert and is able to successfully use AAA to validate client cert
    • We also support ssl connections without certificate (with token), we found consumers using invalid tokens, we want to identify them by ip address -> in http header we see only IP address of loadbalancer
    • the LB can't set "X-Forwarded-For" because the traffic is encrypted.
    [Ajitabh]: Use AAA Policy in this case. The identity extraction page should looks something like below:


    and the Authenticate settings should use custom template to validate either the token or IP address.




    ------------------------------
    Ajitabh Sharma
    ------------------------------



  • 13.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Wed May 25, 2022 04:59 AM
    Thanks, I am trying to rebuild the AAA policy to log the IP address - I am wondering which IP address I am seeing. The one from the client or the one from the load balancer.

    ------------------------------
    Andreas Brand
    ------------------------------



  • 14.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Wed May 25, 2022 10:27 AM

    Hi Andreas,

     

    It depends if NAT is used in LB or not? If not we should see client IP in DataPower.

     

    In my case, when I experimented with nginx load balancer (configured for L4 load balancing), I can see docker0 translated IP address shown on DataPower (I am running a DataPower docker instance inside WSL on windows). This let's me believe that if things are correct, we should be able to see client IP on DataPower.

     

    Regards,

    -Ajitabh Sharma

     






  • 15.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Mon May 23, 2022 07:07 AM
    DataPower only supports the CONNECT method outgoing from the appliance (to a backend) -- not incoming to the front side handler.

    Here is the technote on the topic: https://www.ibm.com/support/pages/how-proxy-ssl-request-datapower-remote-proxy-server

    I would encourage submitting a feature request through the ideas site since support cannot assist you on unsupported features: https://integration-development.ideas.ibm.com/ideas

    ------------------------------
    DOMINIC MICALE
    ------------------------------



  • 16.  RE: IBM Datapower and "The PROXY Protocol"

    Posted Wed May 25, 2022 04:48 AM
    Thank you for the information, I am considering submitting a feature request.

    ------------------------------
    Andreas Brand
    ------------------------------