Forum Discussion

Nimbostratus

Nov 20, 2019

DNS resolver iRule

Hello Everyone, This is my first time using iRules and posting to this forum, so if the upcoming question is lacking knowledge then that's the reason. We have a network behind an F5 that...

application delivery

LTM

LeeWild

Nimbostratus

Hello S Blakely,

Thanks for your quick and detailed response. Here are our details:

Virtual Server configured with a VIP address

HTTP Profile - http-explicit, **http-explicit-proxy-vip**, external-resolver,

**Customer specific profile inheriting http-explicit parent profile settings

Referring to the previous questions and your answers:

No - either the request is passed on to a Proxy server pool member, or is directly proxied by the F5 using the http profile (with the Explict Proxy mode set). In either case, the traffic is arriving on port 8080. - The traffic is arriving on port client-side or server-side, please clarify this statement? The communication needs to be on port 443 on the internet side after the traffic leaves the proxy. The internet side is expecting a request on port 443 not 8080.
I've modified the iRule now with your details above. Awaiting a testing window from the customer.

Again really appreciate the help with this. Thanks.

Simon_Blakely

Employee

Nov 21, 2019

OK - so the virtual is acting as an explicit proxy.

Client side traffic is port 8080 and unencrypted.

The http profile (explicit proxy) sees an incoming CONNECT request to tools.cisco.com:443

At this point the BigIP uses the configured DNS resolver to resolve tools.cisco.com, and opens a TCP connection to port 443 - this is automatic, and uses the host:port combination in the URI of the CONNECT request.

The http profile responds to the client with a HTTP/1.0 200 OK to establish the proxy tunnel, and the client then sends a TLS ClientHello. This uses the existing port 8080 connection from the client to the BigIP virtual, and the BigIP translates this to the port 443 connection on the server-side.

From this point on, the BigIP is just a relay, passing the TLS packets from client to destination server, in the same way any HTTP proxy does - no snooping, no interfering - just port and address translation.

If you want to look inside those packets, you need F5 SSLO, and that's a whole other story.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

DNS resolver iRule

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

DNS Resolver

APM logout issue [resolved]

F5 DNS resolve internal wide ip only

Big-IP DNS - Zone Transfers

Resolve 2 IPs at the same time, with failover in a 3rd one

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS