Forward Traffic to Proxy Server

I was thinking about something like this...

 

 

-Application server sends https:///customer1

 

-F5 rewrites the URL as https:// and forwards that request to the Proxy server

 

-Proxy server requests https://

 

-Proxy receives return traffic and forwards to the F5

 

-F5 forwards the response to the application server

 

It sounds like we can probably help with what you're looking for here, assuming we can decrypt the traffic inbound to the LTM and then re-encrypt as necessary on the way back out.

 

 

Could you give a little more detail though? It'd be really helpful to get some examples of the requests you're talking about, even if you're using mock hostnames. Seeing the way the request is formed from the app, the response you'd see at the F5, etc. would be very helpful.

 

 

Colin

The URL will be https://subdomain.customer.com/atchi/app.cgi

 

 

 

· Data will be encrypted by a Java key store

 

· Data will then be sent via SSL essentially double encrypting the data

 

 

 

 

 

SAML is probably post data, so the stream might look like this:

 

 

 

SSL(HTTP(SAML(SOAP(Java Encryption(App Message)))))

 

 

 

So if we do SSL at the F5, we should see everything down to the SOAP message's cleartext fields, assuming that the "main payload" of the SOAP message is what is encrypted, and that this payload contains the actual app message

 

 

 

 

Bump

I'm still trying to make sure I have my head around this one.

 

 

The App server sends a SOAP request directed to https://subdomain.customer.com/atchi/app.cgi. That request needs to be forwarded to a proxy server (does a host or URI re-write need to happen here? Or just send along the original URI/request intact?), the proxy server gets the request and fires it off to the internet.

 

 

Wouldn't this be a relatively simple setup? Make sure the App server is routing through the LTM, have the LTM route the App traffic to the proxy (have the proxy set up as a pool member), which would then be firing info out to the internet, and then make sure the proxy is routing back through the LTM when trying to return traffic to the App Server.

 

 

Did I miss something there?

 

 

Colin

The app server will be sending the request to the VS internal address. The F5 would then rewrite the request to the customer URL and then pass the request to the Proxy. Maybe something like this...

 

 

if { [string tolower [HTTP::path]] contains "/customer1" }

 

HTTP::header replace "subdomain.customer1.com"

 

HTTP::uri "/atchi/app.cgi"

 

if { [string tolower [HTTP::path]] contains "/customer2" }

 

HTTP::header replace "subdomain.customer2.com"

 

HTTP::uri "/atchi/app.cgi"

Morning bump

Hi Eric,

 

 

Can you use tcpdump to log the current requests from the app server to the virtual server? Or you could use an iRule which logs [HTTP::request] in the HTTP_REQUEST event. This will log the HTTP request headers to /var/log/ltm. Please post some anonymized examples of the original requests and a description of how you want them modified.

 

 

Thanks, Aaron

I don't have anything setup yet, just in the planning stage. I am good with setting the Proxy server as the node in the pool. Does this look correct for rewriting the URL?

 

 

Request from App to VS: https://customer1.

 

Request from VS to Proxy: https://subdomain.customer.com/atchi/app.cgi

 

 

if { [string tolower [HTTP::path]] contains "customer1" }

 

HTTP::header replace "subdomain.customer1.com"

 

HTTP::uri "/atchi/app.cgi"

 

if { [string tolower [HTTP::path]] contains "customer2" }

 

HTTP::header replace "subdomain.customer2.com"

 

HTTP::uri "/atchi/app.cgi"

The new request is not being fully constructed. Rather it is appearing on the Proxy server as 'GET /samltest/samltest.asp' opposed to ‘GET http://dalvdmz08.carreker.com/samltest/samltest.asp’ and the Proxy server is denying the request with the following error:

 

 

Error Code: 502 Proxy Error. The Uniform Resource Locator (URL) does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). (12006)

 

 

Here is the iRule I have configured. Any help would be greatly appreciated.

 

 

Source NAT (SNAT)

 

when CLIENT_ACCEPTED {

 

snat 10.206.1.245

 

log local0. "iRule SCO-Proxy - Setting SNAT to 10.206.1.245"

 

}

 

 

Search for Bank Name

 

when HTTP_REQUEST {

 

log local0. "iRule SCO-Proxy - HOST: [HTTP::header host]"

 

log local0. "iRule SCO-Proxy - PATH: [HTTP::path]"

 

if { [string tolower [HTTP::path]] contains "/adirondacktrust" } {

 

log local0. "iRule SCO-Proxy - Yes URL contains /adirondacktrust"

 

Rewrite the URI

 

HTTP::uri "/samltest/samltest.asp"

 

log local0. "iRule SCO-Proxy - New URI is [HTTP::uri]"

 

Rewrite the Host header

 

HTTP::header replace host "dalvdmz08.carreker.com"

 

log local0. "iRule SCO-Proxy - New host is [HTTP::header host]"

 

Log Re-written URL

 

log local0. "iRule SCO-Proxy - New URL is [HTTP::header host][HTTP::uri]"

 

use pool proxy-isa} else {

 

discard

 

log local0. "iRule SCO-Proxy - The request was discarded"}

 

}