Forum Discussion
Ashish_205344
Nimbostratus
NimbostratusHTTP Forward Proxy Access FIlter
I have implemented F5 as explicit forward proxy, now to add further, i need to add some HTTP filtering so that Servers in Group A can only access external domains defined in Group A, likewaise for 100 of groups.
I ahve also got AFM provisioned, not sure which is the best way..?? I-RUle or AFM policy..??
Any suggestions or I-Rule code snippets highly appreciated. Thanks in advance.
Stanislas_Piro2Cumulonimbus
Hi,
AFM is a Layer 4 firewall. it won't filter on HTTP host.
you can :
-
create a data group with all allowed sites:
ltm data-group internal Proxy_allowed_hosts { records { www.f5.com { } www.google.fr { } } type string } -
use this ltm policy (load it with
)load sys config merge from-terminalltm policy FORWARD_PROXY_FILTER { controls { forwarding } last-modified 2018-06-18:09:11:14 requires { http http-explicit } rules { whitelist-http-proxy { conditions { 0 { http-uri proxy-request host datagroup Proxy_allowed_hosts } } } whitelist-connect { conditions { 0 { http-method proxy-request values { CONNECT } } 1 { http-uri proxy-request starts-with datagroup Proxy_allowed_hosts } } ordinal 1 } redirect_unknown_host { actions { 0 { http-reply proxy-request redirect location http://www.google.fr } 1 { log proxy-request write facility local0 message tcl:[HTTP::uri] priority info } } ordinal 2 } } status published strategy first-match }
-