Proxy Protocol

Instead of files waiting in a queue for a server to become available, load balancers for EFT HA Active-Active configuration are used to distribute traffic to available EFT servers. Adding a load balancer means that instead of EFT seeing the original client requests, it sees requests as though they had originated from the load balancer. In this case, EFT doesn't receive client information, such as IP address and port number, making it difficult to analyze traffic logs or other transfer details. Prior to EFT v8.0.5, when EFT is setup behind a load balancer, such as HAProxy or F5, when connections come in to EFT, the originating IP appears as that of proxy/LB, rather than origination client. (F5 has no native support for proxy protocol. You must create a custom i-Rule.)

HAProxy developed a special "Proxy Protocol" to deal with this problem, which has since been adopted by load balancer manufacturers, proxies, and servers. Proxy Protocol provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies. It is designed to require little changes to existing components and to limit the performance impact caused by the processing of the transported information.

Support was added in EFT v8.05 for Proxy Protocol version 1 to both our DMZ Gateway and to EFT. Proxy Protocol should only be used in conjunction with upstream load balancers or proxies that support and use proxy protocol; otherwise, EFT will abort inbound connections that lack the proper headers. There is no "mixed mode"; if Proxy Protocol is enabled, Proxy Protocol headers are required for that Site. If they aren't, connections are aborted. Also, Proxy Protocol is not supported for EFT as a client (that is, outbound transfers using Event Rules).

NOTE: EFT and DMZ only support Proxy Protocol version 1. Proxy Protocol version 2 is not yet supported in EFT. Proxy Protocol version 1 uses a human-readable header format; version 2 uses a binary header format. EFT cannot read binary headers, so those connections would be aborted.

To enable Proxy Protocol

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the Site that you want to configure.

  3. On the Site > Connections tab, select the Enable Proxy Protocol for all protocols enabled on the Site check box.

  4. Click Apply to save changes.

  5. Click the Proxy Protocol link to open https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt to read more.

Information for HAProxy and other load balancers

Below is an illustration showing where the load balancer is placed in relation to the EFT client and server:

The Proxy Protocol is also supported in a cluster:

How to Modify the HAProxy Configuration File in Ubuntu

The haproxy.cfg configuration file (for the HAProxy load balancer) must be edited before using it. Each protocol has its own section in the file. Each protocol you will use must be edited for:

  • Node or computer name

  • EFT or DMZ Gateway IP address. You need to enter the EFT Site's IP address if you are not using a DMZ Gateway; otherwise, use the DMZ Gateway IP address.

  • Port in use; specify the port set in EFT or DMZ Gateway

To change the configuration

  1. Add or remove the # to enable or disable the proxy flag.

  2. Make the changes to the configuration file using the IP address of your EFT Sites or DMZ Gateway.

  3. Update the relevant sections for each protocol (HTTP/S, FTP/S, SFTP).

  4. Enable the proxy protocol by setting the "send-proxy" flag.

  5. Save the changes, then, restart the HAProxy Service (service name = haproxy)

    6. In Ubuntu/Linux:

    • Command to start the service:

    sudo service haproxy restart

    • Command to check the status of the service:

    sudo service haproxy status

    This is an example of what the log captures:

For other load balancers