Forum Discussion
NimbostratusHTTP Explicit Proxy and http requests
Ah, so the difference here is in how explicit proxy handles http vs. https. Https traffic is in fact sent into the tunnel to be picked up by a wildcard virtual server as you discovered, however http traffic is sent directly to the end web server requested using routing specified under network->routes. As far as forcing non-encrypted http traffic to hit that virtual server requires some irule manipulation to accomplish that. A simpler strategy then trying to "virtual" the connection over to wildcard vs is in the HTTP_PROXY_REQUEST method on the explicit proxy VS you could run some of that same logic and block connections based on uri and/or ip right there.
Ah, so the difference here is in how explicit proxy handles http vs. https. Https traffic is in fact sent into the tunnel to be picked up by a wildcard virtual server as you discovered, however http traffic is sent directly to the end web server requested using routing specified under network->routes. As far as forcing non-encrypted http traffic to hit that virtual server requires some irule manipulation to accomplish that. A simpler strategy then trying to "virtual" the connection over to wildcard vs is in the HTTP_PROXY_REQUEST method on the explicit proxy VS you could run some of that same logic and block connections based on uri and/or ip right there.
This was the way the explicit proxy was designed, I cannot go into specifics as I am not aware of complete reasoning but because of the way TLS vs. non-TLS is handled using the CONNECT verb from the client side it was determined for various reasons at the time that any manipulation by HTTP traffic could be handled on the explicit VS directly as I mentioned above and then passed using routing to the end web server directly as opposed to going through another layered VS as is done for HTTPS to improve performance, etc... There is discussions about improving the options in the explicit proxy profile to potentially allow more options to this behavior in the future but as of now this is how it is designed. To allow for adding of disallowed ipuri's in a single place each of the irules (explicit+wildcard VS) could make calls to a datagroup(s) that would compare current connection ip/uri to disallowed ip/uri's in the datagroup(s) so that as an admin you would just need to update the datagroup(s) and both irules on different VS's would block those new ip/uri's dynamically based on that. Hopefully this helps!
