HTTP and HTTPS in one VS

I think the link provided is doing this

Client 80,443 >>>>>>> Vs 8080 |LTM| >>>>>> 80,443

Setup is somewhat like below... Need some help to distinguish port 80 and 443 from received 8080 port.

Client 80,443 >>>>>>> 8080 |Proxy Server| 8080 >>>>>>> Vs 8080 |LTM| >>>>>> 80,443

Thanks

A few additional questions then, for clarification:

1. You're expecting the LTM VIP to process SSL and non-SSL traffic on a single port (8080)? This is still technically possible, but considerably more difficult to achieve.

    

2. Is the proxy server transparent? Forward? Reverse? Necessary?

    

3. And is necessary to have the LTM listen on 8080 and not 80 and 443?

    

1. Yes client requesting internet will pass through 8080.
2. client >>> forward proxy server >>> LTM >>> Internet
3. Yes, client requesting the internet 80,443 to forward proxy in port 8080 then forward proxy server send request to LTM in port 8080.

Ahh, so you're implementing a FORWARD proxy for internal clients to access the Internet. That's a little different. Here are a few considerations:

1. First and foremost, I tend to believe that the LTM would make more sense on the inside of the forward proxy (perhaps to load balance multiple proxies), otherwise I'm not 100% clear on what the LTM is doing.

2. An explicit, non-transparent forward proxy requires configuration settings in the client browser (in this case to point to the proxy on port 8080). The proxy therefore TUNNELS all traffic (80/443) through the port 8080 connection. So,

   1 - browser makes connection to proxy on port 8080
   
   2 - browser issues HTTP CONNECT method, asking proxy to make SSL tunnel to origin web server
   
   3 - proxy resolves DNS hostname for origin server
   
   4 - proxy makes connection to origin on port 443
   
   5 - proxy replies to browser ""HTTP/1.0 200 Connection established"" to tell the browser that the SSL tunnel has been established.
   
   6 - browser and origin do SSL certificate exchange.  Proxy is used, but just as a tunnel - SSL certificate info is not modified in any way by the proxy
   
   7 - browser sends ""GET /"" to origin server (via SSL tunnel through proxy) with host header filled out by browser.  Again, proxy does not modify host header, as data is just being ""tunneled""
   

** http://support.novell.com/docs/Tids/Solutions/10077499.html

1. It makes sense in that regard that you're trying to do 80 an 443 in a single LTM VIP, but a) the proxy would connect to the LTM on the native port - 80 or 443, and not 8080, and b) again, unless you're doing something unique I still think the LTM should be on the other side of the forward proxy.

2. Finally, unless you're providing significant web caching and/or content filtering on your forward proxy, there's both a published iRule and an iApp that will allow the LTM to perform forward proxy.

Technically yes, but it would be very difficult and I don't really think that's the point. A forward proxy will attempt to first resolve and then directly connect to the remote Internet host, and on the origin port. Unless I'm still missing something, you'd either have to 1) modify the proxy to resolve all remote hosts to the LTM VIP, and then have the LTM perform the real DNS lookup and forward the request, or 2) put the LTM in forwarding mode, in which case it wouldn't matter what port or protocol was going through it. In no case can I imagine that the forward proxy would forward traffic to another device on the same proxy port (8080).