Forum Discussion

sa1eh's avatar
sa1eh
Icon for Altostratus rankAltostratus
Jul 15, 2019

Http auth agent against SSL backend is not allowed

I have an application that sends OTP to users from an external API but (HTTP AAA server) doesn't accept https request it shows me the following message:   In AAA HTTP server, Using Http auth agen...
Thriff's avatar
Thriff
Icon for Nimbostratus rankNimbostratus
Feb 03, 2025

Hi,

I got our AAA HTTP Auth working with a layered VIP that also sent it through a outbound proxy, since the F5 instance itself is firewalled and can't talk directly to the internet.

Traffic flow:
HTTP AUTH -> sms_service_80 (REDIRECT) -> sms_service_443 -> outbound-proxy -> External SMS OTP service (internet)

In the HTTP Auth config, set Number Of Redirects To Follow to 1 so that it accepts a redirect.

Here's a AS3 snippet of the VS config:

"sms_service_80": {
    "class": "Service_HTTP",
    "remark": "SMS Service Redirect",
    "virtualAddresses": [
        "10.0.0.1"
    ],
    "virtualPort": 80,
    "persistenceMethods": [],
    "iRules": [
        {
            "use": "sms-redirect.irule"
        }
    ],
    "snat": "auto"
},
"sms_service_443": {
    "class": "Service_HTTPS",
    "remark": "SMS Service Proxy",
    "virtualAddresses": [
        "10.0.0.1"
    ],
    "virtualPort": 443,
    "redirect80": false,
    "pool": "proxy-pool",
    "profileHTTP": {
        "use": "proxy-http"
    },
    "clientTLS": {
        "bigip": "/Common/serverssl"
    },
    "serverTLS": {
        "bigip": "/Common/clientssl"
    },
    "persistenceMethods": [],
    "snat": "auto"
},
"proxy-pool": {
    "class": "Pool",
    "monitors": [],
    "loadBalancingMode": "least-connections-member",
    "members": [
        {
            "shareNodes": true,
            "adminState": "enable",
            "servers": [
                {
				"name": "outbound-proxy.localdomain.com",
				"address": "10.1.1.1"
                }
            ],
            "servicePort": 8080
        }
    ]
},
"proxy-http": {
    "class": "HTTP_Profile",
    "proxyConnectEnabled": true
},

And the custom redirect iRule "sms-redirect.irule" that keeps method and body intact:

when HTTP_REQUEST priority 500 {
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
    # 308 Permanent Redirect: Similar to 301, but it ensures that the method and body of the request are not changed
    HTTP::respond 308 Location "https://[HTTP::host][HTTP::uri]"
}

 

You also want to either add the external SMS-service hostname as a local alias on the F5 instance with the HTTP Auth in (System  ››  Configuration : Device : Hosts) and keep the FQDN in the HTTP Auth config.
E.g:

Or change it with a iRule on the 443 VS, and have the local IP in the HTTP Auth config:

when HTTP_REQUEST_RELEASE priority 500 {
    HTTP::host "sms-service.example.com"
}

Otherwise the outbound-proxy wont know where to send the request.

 

Hope this helps someone (: