Forum Discussion

xunil321_122934's avatar
xunil321_122934
Icon for Nimbostratus rankNimbostratus
Aug 03, 2016
Solved

HTTP Explicit Proxy and http requests

Dear all,   we have used this iApp (https://devcentral.f5.com/codeshare/apm-explicit-proxy)   to install an explicit proxy under 11.5.1 HF7 where the client's browser is pointing   to this ...
application delivery
iApps
LTM
  • JamesSevedge_23's avatar
    JamesSevedge_23
    Aug 03, 2016

    Ah, so the difference here is in how explicit proxy handles http vs. https. Https traffic is in fact sent into the tunnel to be picked up by a wildcard virtual server as you discovered, however http traffic is sent directly to the end web server requested using routing specified under network->routes. As far as forcing non-encrypted http traffic to hit that virtual server requires some irule manipulation to accomplish that. A simpler strategy then trying to "virtual" the connection over to wildcard vs is in the HTTP_PROXY_REQUEST method on the explicit proxy VS you could run some of that same logic and block connections based on uri and/or ip right there.

     

JamesSevedge_23's avatar
JamesSevedge_23
Historic F5 Account
Aug 03, 2016

Ah, so the difference here is in how explicit proxy handles http vs. https. Https traffic is in fact sent into the tunnel to be picked up by a wildcard virtual server as you discovered, however http traffic is sent directly to the end web server requested using routing specified under network->routes. As far as forcing non-encrypted http traffic to hit that virtual server requires some irule manipulation to accomplish that. A simpler strategy then trying to "virtual" the connection over to wildcard vs is in the HTTP_PROXY_REQUEST method on the explicit proxy VS you could run some of that same logic and block connections based on uri and/or ip right there.

 

JamesSevedge_23's avatar
JamesSevedge_23
Historic F5 Account
Aug 03, 2016

One additional thought to add as to why, if the goal is big IP to act as an explicit proxy then the easiest thing would be to accept client connection and then just pass all connections out default routing. But then for HTTPS since it would CONNECT and then try to negotiate SSL through that tunnel if big IP wanted to decrypt HTTPS at that point you would have to have another VS with a clientside and serverside SSL profile to allow decryption and then utilize full big IP feature set on decrypted traffic before passing to end webserver re-encrypted by BIG IP. But instead of forcing HTTP to use this methodology as well even though not necessary as it is non-TLS it was decided for improved performance to allow it to just use routing and bypass that additional layered VS. Again, not a concrete answer based on direct knowledge but just some more insight.