For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eldad_162351's avatar
Eldad_162351
Icon for Nimbostratus rankNimbostratus
Jun 04, 2015

Hey nitass,

iv'e finally managed to make it work or at least partially work, so thanks very much.

problem is where to place the node $destip $destport which im getting from a table based on the source ip.

for now the iRule looks like:

when CLIENT_ACCEPTED {
    translate address enable
    translate port enable
    if { $static::proxydebug != 0 } { log local0. "Client connected" }
    set bypass 0
    set bufferdata ""
      0 to make sure the server-side connection is opened right away
    TCP::collect 0 0
    set srcip [IP::client_addr]
    set my_lookup [table lookup -subtable "clients" $srcip]
    my_lookup contains the ip and port for proxies relevant for the legacy cliensts
    now parsing $my_lookup to get the destination ip as $destip and port as $destport for proxy
    node $destip $destport
}

when CLIENT_DATA {
    if { $static::proxydebug != 0 } { log local0. "CLIENT_DATA before is |[TCP::payload]|" }
     accumulate until ready, release when connected
    if { $bypass eq 1 } {
         TCP::payload replace 0 [string length $bufferdata] ""
        TCP::release   
        return
    }
    set bufferdata [TCP::payload]
    TCP::collect
}

when SERVER_CONNECTED {
    serverside {TCP::respond "CONNECT [IP::local_addr clientside]:[TCP::local_port clientside] HTTP/1.0\r\n\r\n"}
    TCP::collect
}

when SERVER_DATA {
    if { $bypass eq 1 } {
        TCP::release
        return
    }
    if { $static::proxydebug != 0 } { log local0. "PAYLOAD before is |[TCP::payload]|" }

     You might need HTTP/1.1 for your proxy, my version of squid was 1.0 
    if { [TCP::payload] starts_with "HTTP/1.0 200 Connection established\r\n\r\n" } {
        TCP::payload replace 0 39 ""
        if { $static::proxydebug != 0 } { log local0. "PAYLOAD after is |[TCP::payload]|" }

        TCP::respond $bufferdata
        TCP::release

        set bypass 1

    } else {
        TCP::close
    }  
}
}

iv'e placed the node at the end of the CLIENT_ACCEPTED but most time on the first session it's not working. only after a refresh it. any idea how to optimize the irule or place the node somewhere else...?

Thanks Eldad.