Forum Discussion
Eldad_162351
Nimbostratus
NimbostratusF5 HTTPS Transparent to Forward Proxy Encapsulator
Hello,
My setup includes legacy clients sending https requests but cannot set their https proxy.
f5 is a transparent proxy and the goal is to dynamically forward their traffic to an externa...
Eldad_162351Nimbostratus
NimbostratusHey nitass,
iv'e finally managed to make it work or at least partially work, so thanks very much.
problem is where to place the node $destip $destport which im getting from a table based on the source ip.
for now the iRule looks like:
when CLIENT_ACCEPTED {
translate address enable
translate port enable
if { $static::proxydebug != 0 } { log local0. "Client connected" }
set bypass 0
set bufferdata ""
0 to make sure the server-side connection is opened right away
TCP::collect 0 0
set srcip [IP::client_addr]
set my_lookup [table lookup -subtable "clients" $srcip]
my_lookup contains the ip and port for proxies relevant for the legacy cliensts
now parsing $my_lookup to get the destination ip as $destip and port as $destport for proxy
node $destip $destport
}
when CLIENT_DATA {
if { $static::proxydebug != 0 } { log local0. "CLIENT_DATA before is |[TCP::payload]|" }
accumulate until ready, release when connected
if { $bypass eq 1 } {
TCP::payload replace 0 [string length $bufferdata] ""
TCP::release
return
}
set bufferdata [TCP::payload]
TCP::collect
}
when SERVER_CONNECTED {
serverside {TCP::respond "CONNECT [IP::local_addr clientside]:[TCP::local_port clientside] HTTP/1.0\r\n\r\n"}
TCP::collect
}
when SERVER_DATA {
if { $bypass eq 1 } {
TCP::release
return
}
if { $static::proxydebug != 0 } { log local0. "PAYLOAD before is |[TCP::payload]|" }
You might need HTTP/1.1 for your proxy, my version of squid was 1.0
if { [TCP::payload] starts_with "HTTP/1.0 200 Connection established\r\n\r\n" } {
TCP::payload replace 0 39 ""
if { $static::proxydebug != 0 } { log local0. "PAYLOAD after is |[TCP::payload]|" }
TCP::respond $bufferdata
TCP::release
set bypass 1
} else {
TCP::close
}
}
}
iv'e placed the node at the end of the CLIENT_ACCEPTED but most time on the first session it's not working. only after a refresh it. any idea how to optimize the irule or place the node somewhere else...?
Thanks Eldad.