For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

NathanAsky's avatar
NathanAsky
Icon for Altostratus rankAltostratus
Mar 19, 2025

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

Through testing, I found that if I simply use all-zero virtual services and use standard mode, I must use the client SLL profile to obtain the SIN domain name in the TLS handshake message sent by the...
iRules
LTM
LTM forward proxy
Paulius's avatar
Paulius
Icon for MVP rankMVP
Mar 20, 2025

NathanAsky any particular reason you are doing this on the forward proxy and not the server side of the connection? It seems like a significant amount of work to go through rather than just use the forward proxy and let it connect to what it should connect to based on DNS.

NathanAsky's avatar
NathanAsky
Icon for Altostratus rankAltostratus
Mar 21, 2025

Yes, I agree with you. I have considered using DNS to capture domain name traffic, but I don't know how the logic is related. For example, I use a 0.0.0.0:53 VS to capture domain name information and addresses, and another 0.0.0.0:0 for the egress network. I don't know how to associate the two VS.

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Mar 21, 2025

    I believe what you are looking for is outlined in the following document.

    https://community.f5.com/kb/technicalarticles/configure-the-f5-big-ip-as-an-explicit-forward-web-proxy-using-ltm/286647

    • NathanAsky's avatar
      NathanAsky
      Icon for Altostratus rankAltostratus
      Mar 26, 2025

      Thank you very much. Maybe it's still not the part I need.

      I am trying the following part to capture the domain name IP through 0.0.0.0:53 to 0.0.0.0:0 vs. getting dictionary information to match the diversion, but I don't like this method very much

      when DNS_RESPONSE {
          set requested_domain [DNS::question name]  ;# 获取查询的域名

          # 指定允许存储的域名列表(只记录这些域名)
          set allowed_domains {
              "google.com"
              "baidu.com"
              "yahoo.com"
          }

          # 检查域名是否在允许列表中
          if { [lsearch -exact $allowed_domains $requested_domain] == -1 } {
              log local0. "Ignoring domain: $requested_domain (not in allowed list)"
              return
          }

          # 获取已存储的 IP 列表(如果存在)
          set existing_ips [table lookup "DNS_$requested_domain"]
          
          # 初始化一个新的 IP 列表
          set ip_list {}

          foreach answer [DNS::answer] {
              if { [DNS::type $answer] eq "A" } {
                  set resolved_ip [DNS::rdata $answer]  ;# 获取解析的 IP 地址
                  
                  # 如果已存储的 IP 列表存在,先解析它
                  if { $existing_ips ne "" } {
                      set ip_list [split $existing_ips ","]
                  }
                  
                  # 只添加新 IP,避免重复存储
                  if { [lsearch -exact $ip_list $resolved_ip] == -1 } {
                      lappend ip_list $resolved_ip
                  }
              }
          }

          # 存储更新后的 IP 列表(用逗号分隔)
          if { [llength $ip_list] > 0 } {
              table set "DNS_$requested_domain" [join $ip_list ","] 300
              log local0. "Stored: $requested_domain -> [join $ip_list ","]"
          }
      }