HTTP and HTTPS in one VS

Ahh, so you're implementing a FORWARD proxy for internal clients to access the Internet. That's a little different. Here are a few considerations:

1. First and foremost, I tend to believe that the LTM would make more sense on the inside of the forward proxy (perhaps to load balance multiple proxies), otherwise I'm not 100% clear on what the LTM is doing.

2. An explicit, non-transparent forward proxy requires configuration settings in the client browser (in this case to point to the proxy on port 8080). The proxy therefore TUNNELS all traffic (80/443) through the port 8080 connection. So,

   1 - browser makes connection to proxy on port 8080
   
   2 - browser issues HTTP CONNECT method, asking proxy to make SSL tunnel to origin web server
   
   3 - proxy resolves DNS hostname for origin server
   
   4 - proxy makes connection to origin on port 443
   
   5 - proxy replies to browser ""HTTP/1.0 200 Connection established"" to tell the browser that the SSL tunnel has been established.
   
   6 - browser and origin do SSL certificate exchange.  Proxy is used, but just as a tunnel - SSL certificate info is not modified in any way by the proxy
   
   7 - browser sends ""GET /"" to origin server (via SSL tunnel through proxy) with host header filled out by browser.  Again, proxy does not modify host header, as data is just being ""tunneled""
   

** http://support.novell.com/docs/Tids/Solutions/10077499.html

1. It makes sense in that regard that you're trying to do 80 an 443 in a single LTM VIP, but a) the proxy would connect to the LTM on the native port - 80 or 443, and not 8080, and b) again, unless you're doing something unique I still think the LTM should be on the other side of the forward proxy.

2. Finally, unless you're providing significant web caching and/or content filtering on your forward proxy, there's both a published iRule and an iApp that will allow the LTM to perform forward proxy.