Forward explicit SSL proxy server

597099SSL forward proxy appears to be unable to handle an SSL handshake inside an explicit proxy 'CONNECT' request. This appears to be the case if the explicit proxy trails the SSL Forward Proxy, or is within the inspection zone. There is no workaround.

I don't believe that case applies here. This is when the F5 is in transparent proxy mode, there's an explicit proxy inside the inspection zone, and the client is attempting to communicate via explicit proxy requests to the "internal" explicit proxy, through the F5 transparent proxy. If you apply SSL Forward Proxy at this F5 ingress point, SSL Forward Proxy is currently not able to decrypt (and re-encrypt) the SSL session created inside the proxy tunnel between the client and the internal proxy.

In this thread, the F5 is an explicit proxy and Marvin and Andrew are just doing SSL Forward Proxy, and at this point not even trying to decrypt the outbound SSL traffic. In the F5 explicit forward proxy scenario, the proxy tunnel is actually established between the client and the ingress TCP wildcard VIP, through the proxy VIP, and the ingress wildcard VIP is the one providing SSL Forward Proxy decrypt/re-encrypt services.

Just to re-iterate, that bug is only relevant when there's an explicit proxy inside the inspection zone, the F5 is in transparent proxy mode, the client is trying to talk directly to the internal explicit proxy, and the F5 is trying to decrypt the SSL session between the client and the internal explicit proxy. You absolutely CAN work around that scenario by putting the ingress F5 in explicit mode (with some additional iRule logic to reformat decrypted HTTP requests to talk to the internal explicit proxy), or by putting the internal proxy in transparent mode.