Forum Discussion
mart_58302
Nimbostratus
NimbostratusDestination based redirect irule, a'la cache.pac implementing?
Hello.
We are using F5 for proxy servers gateway, and everything works fine, but due routings in proxy's if the clients destination is local network, the proxy's can't connect to local network, so in web browsers are using cache.pac where is defined, that if destination is local network, traffic goes directly, not via F5. Example:
function FindProxyForURL(url, host) {
if(shExpMatch(host, "*[^0123456789.]*") == false)
if( isInNet(host, "127.0.0.0", "255.0.0.0")
|| isInNet(host, "172.17.0.0", "255.255.0.0")
|| isInNet(host, "172.18.0.0", "255.255.0.0")
)
return "DIRECT";
else
return "PROXY proxygateway.internal:8080; DIRECT";
)
But clients who can't read/use the cache.pac can't connect local network at all, so is it possible on the F5 with irule do same thing as with cache.pac, that if destination is local network F5 redirects all this traffic to the network directly and without any NAT/SNAT?
35 Replies
hoolioCirrostratus
Hi Mart,
I tested a simple HTTP proxy rule which resolved the hostname for non-IP requests and sent the request to the correct destination. But to even support all of the RFC's for HTTP proxies in an iRule would be really complicated. To try to support multiple proxy types in an iRule would be near impossible.
Sorry to lead you on a bit of a goose chase with this...
Aaron
mart_58302,
I tested a simple HTTP proxy rule which resolved the hostname for non-IP requests and sent the request to the correct destination. But to even support all of the RFC's for HTTP proxies in an iRule would be really complicated. To try to support multiple proxy types in an iRule would be near impossible.
Sorry to lead you on a bit of a goose chase with this...
Don't worry.
But one more question, can I catch without http etc profile the https traffic (I have licenses to intercept ssl) and transfer it to specific proxy -s, You see I have 4 proxy -s and only two have ssl interception card, so idea is to send all https traffic only to these proxy -s?s?- hoolioHi Mart,
Do you want to match https traffic on port 443, decrypt it and send it to a pool? Or do you want to match HTTPS tunneled over HTTP from clients using the CONNECT HTTP method?
Aaron - mart_58302
Do you want to match https traffic on port 443, decrypt it and send it to a pool? Or do you want to match HTTPS tunneled over HTTP from clients using the CONNECT HTTP method?
I think second option, but as I don't use http profile, can I match the https traffic at all? - mart_58302I'm reopening this problem, as now the nwe proxy is pure HTTP/HTTPS, so I can use irule -s. Can this redirection be done so, that if DST IP is from subnets 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, then connection will be made using F5 IP for NAT?
Is this possible?
