Forum Discussion

Eldad_162351's avatar
Eldad_162351
Icon for Nimbostratus rankNimbostratus
Jun 01, 2015

The Virtual Server

ltm virtual SSL_VS {
    destination 0.0.0.0:https
    ip-protocol tcp
    mask any
    pool Squid_GW
    profiles {
        tcp { }
    }
    rules {
        HTTPS_Proxy
    }
    source 192.168.100.0/24
    translate-address disabled
    translate-port disabled
    vlans {
        SSL_Clients_Vlan
    }
    vlans_enabled
    vs-index 21
}

The iRule

ltm rule HTTPS_Proxy {
 Tested on v10.2 version and up

    when RULE_INIT {
         Change to "1" to enable debugging log statements
        set static::proxydebug 0
}

when CLIENT_ACCEPTED {
    if { $static::proxydebug != 0 } { log local0. "Client connected" }
    set bypass 0
    set bufferdata ""
      0 to make sure the server-side connection is opened right away
    TCP::collect 0 0
    set srcip [IP::client_addr]
    set my_lookup [table lookup -subtable "clients" $srcip]
    my_lookup contains the ip and port for proxies relevant for the legacy cliensts
    now parsing $my_lookup to get the destination ip as $destip and port as $destport for proxy
}

when CLIENT_DATA {
    if { $static::proxydebug != 0 } { log local0. "CLIENT_DATA before is |[TCP::payload]|" }

     accumulate until ready, release when connected
    if { $bypass eq 1 } {
         TCP::payload replace 0 [string length $bufferdata] ""
        TCP::release   
        return
    }
    set bufferdata [TCP::payload]
    TCP::collect
}

when LB_SELECTED {
    translating the packet to a new dest ip and port from lookup table
    node $destip $destport
}

when SERVER_CONNECTED {
    serverside {TCP::respond "CONNECT :[TCP::local_port clientside] HTTP/1.0\r\n\r\n"}
    TCP::collect
}

when SERVER_DATA {
    if { $bypass eq 1 } {
        TCP::release
        return
    }
    if { $static::proxydebug != 0 } { log local0. "PAYLOAD before is |[TCP::payload]|" }

     You might need HTTP/1.1 for your proxy, my version of squid was 1.0 
    if { [TCP::payload] starts_with "HTTP/1.0 200 Connection established\r\n\r\n" } {
        TCP::payload replace 0 39 ""
        if { $static::proxydebug != 0 } { log local0. "PAYLOAD after is |[TCP::payload]|" }

        TCP::respond $bufferdata
        TCP::release

        set bypass 1

    } else {
        TCP::close
    }  
}
}

with this iRule the packet's dest ip and port doesnt work since the translate is disabled. if i use translate address enable and translate port enable in the iRule im getting LB_FAILED. im adding the translate to the CLIENT_DATA event.

Thanks nitass

really appriciated

E.