Forum Discussion
Forward explicit SSL proxy server
Hi Kevin,
What's the trick to forwarding the HTTP traffic out the back of the Explicit VIP? The SSL traffic traverses the tcp-forward tunnel to the wildcard VS where it can be managed. How would I forward everything else (in particular, HTTP) where I want (e.g. to another VS or gateway pool)?
I've tried using the HTTP_PROXY_REQUEST event and proxy disable to send it various places. I can successfully send it to another VS however what I really want to do is send it through a security device. The SSL Intercept iApp 1.0 does this for HTTPS via an ingress pool, however I can't get this working for HTTP?
Without a fancy iRule solution, I guess creating routes is the only way to get it where I want.
Any tips?
- MarvinOct 18, 2016Cirrocumulus
Kevin, I have a very specific issue that an internal client is trying to access an external webservice using the explicit forward proxy with a SOAPui client and it works just fine. Also usign a webbrowser it works great. However when they try to communicate using an IBM AIX MQ server they are unable to connect to the external HTTPS webservice.
What I have seen in the packet capture is that the client does not send SNI information and the server does not respond with a server hello. The level of encryption and cipher support is not a problem using TLS1.2. Almost sure that SNI support is the problem, so how am I able to inject the SNI information uing the forward proxy? How to deal with this issue when there are similar problems with different external webservices? To be able to alter this behavior I guess the SSL forward proxy license is required, correct?
Looking forward to your fast response. Thanks!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com