Forum Discussion
What_Lies_Bene1
Cirrostratus
CirrostratusAutomatic Licensing via Proxy
Hi all. Is this actually possible?
I'm trying to license automatically (via API) and despite setting this;
tmsh modify sys db proxy.host value hostname 'host_name'
tmsh modify sys db proxy.port value port_number 8080
and doing this in bash;
export http_proxy=/">/
export https_proxy=/">/
I'm not getting anywhere. Initially DNS lookup was failing (shouldn't be used via a proxy right). To fix that I did this;
modify sys global-settings remote-host add { activate.f5.com { addr 208.85.210.4 hostname activate.f5.com } }
I now don't see errors of any kind in
/var/log/ltmAm I missing something?
What_Lies_Bene1DC managled the bash proxy settings bit, just ignore anything after the :8080 on each line.- What_Lies_Bene1Doesn't work with the proxy.host and .port values reset to defaults either. Doesn't work whether I make the API call on the box or remotely. Fails immediately.
Mahmoud_Eldeeb_it doesn't work
- philh_127905
Nimbostratus
I had this issue back in Nov 2013. It seemed that it was at the server side. If you make a request through a proxy you get a 400 Invalid URI response. If you don't use a proxy, you get a 200 OK.
Looks like it's still the same.
A proxy style HTTP request:
openssl s_client -connect activate.f5.com:443 ...certs etc... --- HEAD https://activate.f5.com/license/services/urn:com.f5.license.v5b.ActivationService HTTP/1.1 SOAPAction: "" Host: activate.f5.com Connection: close HTTP/1.1 400 Invalid URI Date: Tue, 30 Dec 2014 11:42:54 GMT Connection: close ...A non-proxy style HTTP request:
openssl s_client -connect activate.f5.com:443 ...certs etc... --- HEAD /license/services/urn:com.f5.license.v5b.ActivationService HTTP/1.1 SOAPAction: "" Host: activate.f5.com Connection: close HTTP/1.1 200 OK Date: Tue, 30 Dec 2014 11:43:48 GMT Content-Length: 179 Content-Type: text/html; charset=UTF-8 ...I just used HEAD because it's easier to manually debug it that way.
One for F5 I guess. I'll try and open another support ticket. You may be able to get around it if you can use transparent proxies, but it really does need fixing at the server side.
- What_Lies_Bene1Thanks. I have asked an SE but I don't have high hopes.
Cthulhucalling_Cirrus
your licensing traffic may be trying to egress via the management interface, especially if you're not seeing traffic to the proxy via tcp dump. You may need to add a static route on the managment interface. I had to do this for my F5s to reach my NTP servers via the managment interface.
- What_Lies_Bene1Thanks for the suggestion but it was supposed to be going via the mgmt interface. :-)
- philh_127905
It happens from any box, not just a BIG-IP. You don't even need a proxy, just the proxy style request is enough to trigger it. Also, we know the traffic's getting there because we get a response from the server.
Hi, I did some checking. On SOL15000 it states for activate.f5.com "The BIG-IP system does not support the use of HTTP Proxy servers when configuring automatic updates." It looks like the db key for host.* is used for the IP Reputation subscription service. On further investigation this has been raised as a RFE (Request For Enhancement) and assigned to ID502197.
- What_Lies_Bene1Thanks!
- philh_127905That's great news, thanks.
