Forum Discussion
Eric_Frankenfie
Nimbostratus
NimbostratusForward Traffic to Proxy Server
I have an application server on the inside of our network that needs to send HTTPS soap messages to one of our clients. No devices on our network have direct access to the Internet; rather all outbound traffic must go through a Proxy server. The application on the server is not Proxy aware and I was thinking I could create a VS and use an iRule to redirect the traffic to the Proxy server. Can someone help me with the iRule?
Application Server --> F5 --> Proxy Server --> Internet
Eric_FrankenfieI was thinking about something like this...-Application server sends https:///customer1
-F5 rewrites the URL as https:// and forwards that request to the Proxy server
-Proxy server requests https://
-Proxy receives return traffic and forwards to the F5
-F5 forwards the response to the application server
- It sounds like we can probably help with what you're looking for here, assuming we can decrypt the traffic inbound to the LTM and then re-encrypt as necessary on the way back out.
Could you give a little more detail though? It'd be really helpful to get some examples of the requests you're talking about, even if you're using mock hostnames. Seeing the way the request is formed from the app, the response you'd see at the F5, etc. would be very helpful.
Colin - Eric_Frankenfie
The URL will be https://subdomain.customer.com/atchi/app.cgi
· Data will be encrypted by a Java key store
· Data will then be sent via SSL essentially double encrypting the data
SAML is probably post data, so the stream might look like this:
SSL(HTTP(SAML(SOAP(Java Encryption(App Message)))))
So if we do SSL at the F5, we should see everything down to the SOAP message's cleartext fields, assuming that the "main payload" of the SOAP message is what is encrypted, and that this payload contains the actual app message
- Eric_FrankenfieBump
- I'm still trying to make sure I have my head around this one.
The App server sends a SOAP request directed to https://subdomain.customer.com/atchi/app.cgi. That request needs to be forwarded to a proxy server (does a host or URI re-write need to happen here? Or just send along the original URI/request intact?), the proxy server gets the request and fires it off to the internet.
Wouldn't this be a relatively simple setup? Make sure the App server is routing through the LTM, have the LTM route the App traffic to the proxy (have the proxy set up as a pool member), which would then be firing info out to the internet, and then make sure the proxy is routing back through the LTM when trying to return traffic to the App Server.
Did I miss something there?
Colin - Eric_FrankenfieThe app server will be sending the request to the VS internal address. The F5 would then rewrite the request to the customer URL and then pass the request to the Proxy. Maybe something like this...
if { [string tolower [HTTP::path]] contains "/customer1" }
HTTP::header replace "subdomain.customer1.com"
HTTP::uri "/atchi/app.cgi"
if { [string tolower [HTTP::path]] contains "/customer2" }
HTTP::header replace "subdomain.customer2.com"
HTTP::uri "/atchi/app.cgi" - Eric_FrankenfieMorning bump
hoolioCirrostratus
Hi Eric,
Can you use tcpdump to log the current requests from the app server to the virtual server? Or you could use an iRule which logs [HTTP::request] in the HTTP_REQUEST event. This will log the HTTP request headers to /var/log/ltm. Please post some anonymized examples of the original requests and a description of how you want them modified.
Thanks, Aaron- Eric_FrankenfieI don't have anything setup yet, just in the planning stage. I am good with setting the Proxy server as the node in the pool. Does this look correct for rewriting the URL?
Request from App to VS: https://customer1.
Request from VS to Proxy: https://subdomain.customer.com/atchi/app.cgi
if { [string tolower [HTTP::path]] contains "customer1" }
HTTP::header replace "subdomain.customer1.com"
HTTP::uri "/atchi/app.cgi"
if { [string tolower [HTTP::path]] contains "customer2" }
HTTP::header replace "subdomain.customer2.com"
HTTP::uri "/atchi/app.cgi" - Eric_FrankenfieThe new request is not being fully constructed. Rather it is appearing on the Proxy server as 'GET /samltest/samltest.asp' opposed to ‘GET http://dalvdmz08.carreker.com/samltest/samltest.asp’ and the Proxy server is denying the request with the following error:
Error Code: 502 Proxy Error. The Uniform Resource Locator (URL) does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). (12006)
Here is the iRule I have configured. Any help would be greatly appreciated.
Source NAT (SNAT)
when CLIENT_ACCEPTED {
snat 10.206.1.245
log local0. "iRule SCO-Proxy - Setting SNAT to 10.206.1.245"
}
Search for Bank Name
when HTTP_REQUEST {
log local0. "iRule SCO-Proxy - HOST: [HTTP::header host]"
log local0. "iRule SCO-Proxy - PATH: [HTTP::path]"
if { [string tolower [HTTP::path]] contains "/adirondacktrust" } {
log local0. "iRule SCO-Proxy - Yes URL contains /adirondacktrust"
Rewrite the URI
HTTP::uri "/samltest/samltest.asp"
log local0. "iRule SCO-Proxy - New URI is [HTTP::uri]"
Rewrite the Host header
HTTP::header replace host "dalvdmz08.carreker.com"
log local0. "iRule SCO-Proxy - New host is [HTTP::header host]"
Log Re-written URL
log local0. "iRule SCO-Proxy - New URL is [HTTP::header host][HTTP::uri]"
use pool proxy-isa} else {
discard
log local0. "iRule SCO-Proxy - The request was discarded"}
}
