Forum Discussion
JG
Cumulonimbus
CumulonimbusHow to make "Update Check" to use a Web proxy?
Re: SOL15000 - Using the Automatic Update Check feature.
Our deployment is behind a firewall. How can we make this work through a Web proxy?
nitass
Employee
EmployeeAdd a virtual server with a spare IP address and wildcard port. Add host entries on the F5 with the update server's names pointing to the spare address, this will override DNS and send the traffic to your virtual server. Set your pool members on the new virtual server as the proxy addresses.
this is mine.
HTTP Proxy Encapsulator v10/v11
https://devcentral.f5.com/wiki/iRules.HTTP-Proxy-Encapsulator-v10-v11.ashx configuration
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys global-settings remote-host
sys global-settings {
remote-host {
callhome.f5.com {
addr 172.28.24.10
hostname callhome.f5.com
}
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
tcp { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 13
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
members {
172.28.24.1:3128 {
address 172.28.24.1
}
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
set bypass 0
set bufferdata ""
TCP::collect 0 0
}
when CLIENT_DATA {
if { $bypass eq 1 } {
TCP::payload replace 0 [string length $bufferdata] ""
TCP::release
return
}
set bufferdata [TCP::payload]
TCP::collect
}
when SERVER_CONNECTED {
serverside {TCP::respond "CONNECT callhome.f5.com:443 HTTP/1.0\r\n\r\n"}
TCP::collect
}
when SERVER_DATA {
if { $bypass eq 1 } {
TCP::release
return
}
if { [TCP::payload] starts_with "HTTP/1.0 200 Connection established\r\n\r\n" } {
TCP::payload replace 0 39 ""
TCP::respond $bufferdata
TCP::release
set bypass 1
} else {
TCP::close
}
}
}
test
[root@ve11a:Active:In Sync] config /usr/bin/updatecheck
[root@ve11a:Active:In Sync] config
trace
[root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 3128
New TCP connection 1: 172.28.24.14(51753) <-> 172.28.24.1(3128)
1419519138.7087 (0.0040) C>S
---------------------------------------------------------------
CONNECT callhome.f5.com:443 HTTP/1.0
---------------------------------------------------------------
1419519139.1157 (0.4069) S>C
---------------------------------------------------------------
HTTP/1.0 200 Connection established
---------------------------------------------------------------
1 1 1419519139.1157 (0.0000) C>SV3.1(512) Handshake
1 2 1419519139.3267 (0.2110) S>CV3.3(81) Handshake
1 3 1419519139.3292 (0.0024) S>CV3.3(3657) Handshake
1 4 1419519139.3292 (0.0000) S>CV3.3(4) Handshake
1 5 1419519139.3346 (0.0054) C>SV3.3(262) Handshake
1 6 1419519139.3346 (0.0000) C>SV3.3(1) ChangeCipherSpec
1 7 1419519139.3346 (0.0000) C>SV3.3(80) Handshake
1 8 1419519139.5468 (0.2121) S>CV3.3(1) ChangeCipherSpec
1 9 1419519139.5468 (0.0000) S>CV3.3(80) Handshake
1 10 1419519139.5754 (0.0286) C>SV3.3(2144) application_data
1 11 1419519139.8617 (0.2862) S>CV3.3(1536) application_data
1 1419519139.8690 (0.0073) C>S TCP FIN
1 1419519139.8697 (0.0007) S>C TCP FIN
Kevin_Davies_40Nacreous
I was just trying to figure out how to replace GET with CONNECT! When I realized it would require this, I thought wouldn't it be simpler just to put the proxy in transparent mode?
NiHo_202842Cirrostratus
First of all, thank you for your comment. I can't get it to work tough, log shows gibberish in CLIENT_DATA before and a Client connected. Suggestions?- nitasscan you try tcpdump?
- NiHo_202842I will. Assigning the default serverssl profile (for fun) gives only client connected and a connection reset by peer in the cli. EDIT: tcpdump shows the proxy returning a reset immediately after a SYN from the bigip.
- NiHo_202842A tcpdump shows that the bigip can't even setup a TCP connection with the proxy. hm. I can telnet to the proxy and a GET just fine. ssldump shows nothing. If I dont associate a HTTP profile, I immediately get a connection reset by peer. Edit: proxy does not support CONNECT, that's why.
