For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Dec 25, 2014

Add a virtual server with a spare IP address and wildcard port. Add host entries on the F5 with the update server's names pointing to the spare address, this will override DNS and send the traffic to your virtual server. Set your pool members on the new virtual server as the proxy addresses.

this is mine.

HTTP Proxy Encapsulator v10/v11

https://devcentral.f5.com/wiki/iRules.HTTP-Proxy-Encapsulator-v10-v11.ashx 
 configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys global-settings remote-host
sys global-settings {
    remote-host {
        callhome.f5.com {
            addr 172.28.24.10
            hostname callhome.f5.com
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 13
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        172.28.24.1:3128 {
            address 172.28.24.1
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENT_ACCEPTED {
  set bypass 0
  set bufferdata ""
  TCP::collect 0 0
}
when CLIENT_DATA {
  if { $bypass eq 1 } {
    TCP::payload replace 0 [string length $bufferdata] ""
    TCP::release
    return
  }
  set bufferdata [TCP::payload]
  TCP::collect
}

when SERVER_CONNECTED {
  serverside {TCP::respond "CONNECT callhome.f5.com:443 HTTP/1.0\r\n\r\n"}
  TCP::collect
}

when SERVER_DATA {
  if { $bypass eq 1 } {
    TCP::release
    return
  }
  if { [TCP::payload] starts_with "HTTP/1.0 200 Connection established\r\n\r\n" } {
    TCP::payload replace 0 39 ""
    TCP::respond $bufferdata
    TCP::release
    set bypass 1
  } else {
    TCP::close
  }
}
}

 test

[root@ve11a:Active:In Sync] config  /usr/bin/updatecheck
[root@ve11a:Active:In Sync] config 

 trace

[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 port 3128
New TCP connection 1: 172.28.24.14(51753) <-> 172.28.24.1(3128)
1419519138.7087 (0.0040)  C>S
---------------------------------------------------------------
CONNECT callhome.f5.com:443 HTTP/1.0

---------------------------------------------------------------

1419519139.1157 (0.4069)  S>C
---------------------------------------------------------------
HTTP/1.0 200 Connection established

---------------------------------------------------------------

1 1  1419519139.1157 (0.0000)  C>SV3.1(512)  Handshake
1 2  1419519139.3267 (0.2110)  S>CV3.3(81)  Handshake
1 3  1419519139.3292 (0.0024)  S>CV3.3(3657)  Handshake
1 4  1419519139.3292 (0.0000)  S>CV3.3(4)  Handshake
1 5  1419519139.3346 (0.0054)  C>SV3.3(262)  Handshake
1 6  1419519139.3346 (0.0000)  C>SV3.3(1)  ChangeCipherSpec
1 7  1419519139.3346 (0.0000)  C>SV3.3(80)  Handshake
1 8  1419519139.5468 (0.2121)  S>CV3.3(1)  ChangeCipherSpec
1 9  1419519139.5468 (0.0000)  S>CV3.3(80)  Handshake
1 10 1419519139.5754 (0.0286)  C>SV3.3(2144)  application_data
1 11 1419519139.8617 (0.2862)  S>CV3.3(1536)  application_data
1    1419519139.8690 (0.0073)  C>S  TCP FIN
1    1419519139.8697 (0.0007)  S>C  TCP FIN
NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Jun 01, 2015
First of all, thank you for your comment. I can't get it to work tough, log shows gibberish in CLIENT_DATA before and a Client connected. Suggestions?