Forum Discussion

shamax22's avatar
shamax22
Icon for Nimbostratus rankNimbostratus
Sep 08, 2024

F5 LTM Explicit Forward Proxy with SSL Decryption(and XFF insertion)

Hi experts,

I am working on a project where I have to configure the LTM as an Explicit Forward Proxy. 

I managed to get this working for both HTTP and HTTPS traffic using the this article here:
Configure the F5 BIG-IP as an Explicit Forward Web Proxy Using LTM | DevCentral

Note that, to align with the existing routing topology, the above setup required SNAT so the return traffic can get back to the LTM (currently routing topology can't be changed)

However, a new requirement has come up to to include the X-Forwarded-for header in the outgoing packets from the LTMs (to Internet) so the Firewalls (that happens to be in the path to the internet) can enforce necessary policies based on Source IP derived from the XFF IP.

Essentially, now I have the requirement of decrypting the traffic on the LTMs (while it's still functioning as an explicit forward proxy), insert XFF and re-encrypt traffic before sending out to the firewall.  The firewall, in this case, will also decrypt the traffic and extract the XFF information and use that to enforce security policies on the traffic before sending out to Internet. 

Obviously, decrypting the same traffic twice is an overkill, but I guess at this point in time, I just wanted to make sure that this option is available and I test this out in my POC.

The issues I am having right now is that, for the life of me, I can't find any document that tells me how perform this on an explicit forwarding proxy setup. I can find a lot of information around SSL decryption and XFF insertion on a reverse proxy setup but I am a bit confused how I derive the necessary bits from that and apply to the explicit-forward proxy. I tried different things in my lab but failed to get the expected outcome.

Can someone please show me a document or let me know how to do this?

 Your input is much appreciated.

Thanks