Forum Discussion
CumulonimbusHow to make "Update Check" to use a Web proxy?
Re: SOL15000 - Using the Automatic Update Check feature.
Our deployment is behind a firewall. How can we make this work through a Web proxy?
23 Replies
- nitass
Employee
How can we make this work through a Web proxy?
i understand it is not possible (as of now).
Kevin_Davies_40Nacreous
Would the following do it?
Add a virtual server with a spare IP address and wildcard port. Add host entries on the F5 with the update server's names pointing to the spare address, this will override DNS and send the traffic to your virtual server. Set your pool members on the new virtual server as the proxy addresses.
This should send the update traffic to the virtual server which will in turn throw this at the proxy. Thereafter its up to the proxy to resolve the requested website name using normal DNS.
Just an idea.
Merry Xmas!
- Kevin_Davies_40The only change you would need to make to each HTTP request is to proxify it... when HTTP_REQUEST { HTTP::uri "http://[HTTP::host][HTTP::uri]" }
- nitass
Add a virtual server with a spare IP address and wildcard port. Add host entries on the F5 with the update server's names pointing to the spare address, this will override DNS and send the traffic to your virtual server. Set your pool members on the new virtual server as the proxy addresses.
the host entry has no issue. anyway, the virtual server is not triggered. is it triggered on yours?
- Kevin_Davies_40Tell me how to force a check and I will test it.
nitass_89166Noctilucent
Add a virtual server with a spare IP address and wildcard port. Add host entries on the F5 with the update server's names pointing to the spare address, this will override DNS and send the traffic to your virtual server. Set your pool members on the new virtual server as the proxy addresses.
the host entry has no issue. anyway, the virtual server is not triggered. is it triggered on yours?
- Kevin_Davies_40Tell me how to force a check and I will test it.
- Kevin_Davies_40
It is triggered on mine (iRule detects connection and logging shows request with SSL profiles) however at this time I am unable to get requests through the F5 to the backend proxy which I think needs to be in transparent mode to make this all work. My virtual server was on port 443 as that is all that is needed initially for the connection to callhome.f5.com
- nitassit is weird. your virtual server is private ip which matches host entry, isn't it?
- Kevin_Davies_40Yup 192.168.20.20:443, ssl profiles, specialised logging iRule. Host callhome.f5.com is defined in gui under system->configration->device->hosts. Mind you my DNS config does not actually work, it is set to some IP address which is no longer valid. So the hosts entry is how it is picking up the address.
- nitassok, thanks. i found that my virtual server was indeed triggered but tcpdump did not show it (last time i checked tcpdump only).
- nitass_89166
Add a virtual server with a spare IP address and wildcard port. Add host entries on the F5 with the update server's names pointing to the spare address, this will override DNS and send the traffic to your virtual server. Set your pool members on the new virtual server as the proxy addresses.
this is mine.
HTTP Proxy Encapsulator v10/v11
https://devcentral.f5.com/wiki/iRules.HTTP-Proxy-Encapsulator-v10-v11.ashxconfiguration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys global-settings remote-host sys global-settings { remote-host { callhome.f5.com { addr 172.28.24.10 hostname callhome.f5.com } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 13 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 172.28.24.1:3128 { address 172.28.24.1 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { set bypass 0 set bufferdata "" TCP::collect 0 0 } when CLIENT_DATA { if { $bypass eq 1 } { TCP::payload replace 0 [string length $bufferdata] "" TCP::release return } set bufferdata [TCP::payload] TCP::collect } when SERVER_CONNECTED { serverside {TCP::respond "CONNECT callhome.f5.com:443 HTTP/1.0\r\n\r\n"} TCP::collect } when SERVER_DATA { if { $bypass eq 1 } { TCP::release return } if { [TCP::payload] starts_with "HTTP/1.0 200 Connection established\r\n\r\n" } { TCP::payload replace 0 39 "" TCP::respond $bufferdata TCP::release set bypass 1 } else { TCP::close } } } test [root@ve11a:Active:In Sync] config /usr/bin/updatecheck [root@ve11a:Active:In Sync] config trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 3128 New TCP connection 1: 172.28.24.14(51753) <-> 172.28.24.1(3128) 1419519138.7087 (0.0040) C>S --------------------------------------------------------------- CONNECT callhome.f5.com:443 HTTP/1.0 --------------------------------------------------------------- 1419519139.1157 (0.4069) S>C --------------------------------------------------------------- HTTP/1.0 200 Connection established --------------------------------------------------------------- 1 1 1419519139.1157 (0.0000) C>SV3.1(512) Handshake 1 2 1419519139.3267 (0.2110) S>CV3.3(81) Handshake 1 3 1419519139.3292 (0.0024) S>CV3.3(3657) Handshake 1 4 1419519139.3292 (0.0000) S>CV3.3(4) Handshake 1 5 1419519139.3346 (0.0054) C>SV3.3(262) Handshake 1 6 1419519139.3346 (0.0000) C>SV3.3(1) ChangeCipherSpec 1 7 1419519139.3346 (0.0000) C>SV3.3(80) Handshake 1 8 1419519139.5468 (0.2121) S>CV3.3(1) ChangeCipherSpec 1 9 1419519139.5468 (0.0000) S>CV3.3(80) Handshake 1 10 1419519139.5754 (0.0286) C>SV3.3(2144) application_data 1 11 1419519139.8617 (0.2862) S>CV3.3(1536) application_data 1 1419519139.8690 (0.0073) C>S TCP FIN 1 1419519139.8697 (0.0007) S>C TCP FIN- Kevin_Davies_40I was just trying to figure out how to replace GET with CONNECT! When I realized it would require this, I thought wouldn't it be simpler just to put the proxy in transparent mode?
NiHo_202842Cirrostratus
First of all, thank you for your comment. I can't get it to work tough, log shows gibberish in CLIENT_DATA before and a Client connected. Suggestions?- nitass_89166can you try tcpdump?
- nitass
Add a virtual server with a spare IP address and wildcard port. Add host entries on the F5 with the update server's names pointing to the spare address, this will override DNS and send the traffic to your virtual server. Set your pool members on the new virtual server as the proxy addresses.
this is mine.
HTTP Proxy Encapsulator v10/v11
https://devcentral.f5.com/wiki/iRules.HTTP-Proxy-Encapsulator-v10-v11.ashxconfiguration root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys global-settings remote-host sys global-settings { remote-host { callhome.f5.com { addr 172.28.24.10 hostname callhome.f5.com } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo profiles { tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 13 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 172.28.24.1:3128 { address 172.28.24.1 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when CLIENT_ACCEPTED { set bypass 0 set bufferdata "" TCP::collect 0 0 } when CLIENT_DATA { if { $bypass eq 1 } { TCP::payload replace 0 [string length $bufferdata] "" TCP::release return } set bufferdata [TCP::payload] TCP::collect } when SERVER_CONNECTED { serverside {TCP::respond "CONNECT callhome.f5.com:443 HTTP/1.0\r\n\r\n"} TCP::collect } when SERVER_DATA { if { $bypass eq 1 } { TCP::release return } if { [TCP::payload] starts_with "HTTP/1.0 200 Connection established\r\n\r\n" } { TCP::payload replace 0 39 "" TCP::respond $bufferdata TCP::release set bypass 1 } else { TCP::close } } } test [root@ve11a:Active:In Sync] config /usr/bin/updatecheck [root@ve11a:Active:In Sync] config trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 3128 New TCP connection 1: 172.28.24.14(51753) <-> 172.28.24.1(3128) 1419519138.7087 (0.0040) C>S --------------------------------------------------------------- CONNECT callhome.f5.com:443 HTTP/1.0 --------------------------------------------------------------- 1419519139.1157 (0.4069) S>C --------------------------------------------------------------- HTTP/1.0 200 Connection established --------------------------------------------------------------- 1 1 1419519139.1157 (0.0000) C>SV3.1(512) Handshake 1 2 1419519139.3267 (0.2110) S>CV3.3(81) Handshake 1 3 1419519139.3292 (0.0024) S>CV3.3(3657) Handshake 1 4 1419519139.3292 (0.0000) S>CV3.3(4) Handshake 1 5 1419519139.3346 (0.0054) C>SV3.3(262) Handshake 1 6 1419519139.3346 (0.0000) C>SV3.3(1) ChangeCipherSpec 1 7 1419519139.3346 (0.0000) C>SV3.3(80) Handshake 1 8 1419519139.5468 (0.2121) S>CV3.3(1) ChangeCipherSpec 1 9 1419519139.5468 (0.0000) S>CV3.3(80) Handshake 1 10 1419519139.5754 (0.0286) C>SV3.3(2144) application_data 1 11 1419519139.8617 (0.2862) S>CV3.3(1536) application_data 1 1419519139.8690 (0.0073) C>S TCP FIN 1 1419519139.8697 (0.0007) S>C TCP FIN- Kevin_Davies_40I was just trying to figure out how to replace GET with CONNECT! When I realized it would require this, I thought wouldn't it be simpler just to put the proxy in transparent mode?
- NiHo_202842First of all, thank you for your comment. I can't get it to work tough, log shows gibberish in CLIENT_DATA before and a Client connected. Suggestions?
- nitasscan you try tcpdump?
