Forum Discussion
Source Persistence for Proxy servers
Hi,
AFM is a Layer 4 firewall. it won't filter on HTTP host.
you can :
-
create a data group with all allowed sites:
ltm data-group internal Proxy_allowed_hosts { records { www.f5.com { } www.google.fr { } } type string }
-
use this ltm policy (load it with
)load sys config merge from-terminal
ltm policy FORWARD_PROXY_FILTER { controls { forwarding } last-modified 2018-06-18:09:11:14 requires { http http-explicit } rules { whitelist-http-proxy { conditions { 0 { http-uri proxy-request host datagroup Proxy_allowed_hosts } } } whitelist-connect { conditions { 0 { http-method proxy-request values { CONNECT } } 1 { http-uri proxy-request starts-with datagroup Proxy_allowed_hosts } } ordinal 1 } redirect_unknown_host { actions { 0 { http-reply proxy-request redirect location http://www.google.fr } 1 { log proxy-request write facility local0 message tcl:[HTTP::uri] priority info } } ordinal 2 } } status published strategy first-match }
- What_Lies_Bene1Nov 05, 2012
Cirrostratus
Do you have an SSLClient or SSLServer profile assigned to the Virtual Server? Should the server be terminating the SSL or the F5? That's one old version of the software btw. - Oleg_68955Nov 05, 2012
Nimbostratus
Hi Steve,
I didn't asign SSLClient or SSLServer profile to the Virtual Server. Not sure if and how I have to do anything with that. I don't know which one should terminate the SSL. Do you know how can I found out that?
Thank you for the hints!
- What_Lies_Bene1Nov 05, 2012
Cirrostratus
Can I ask, is the hostname resolving correctly and if so, have you confirmed that the client has a route to the Virtual Server address/range? - Oleg_68955Nov 05, 2012
Nimbostratus
No issues with IP addresses, routes or resolving hostnames.
What do you mean that curl doesn't support SSL/TLS?
I used curl to connect to another pool that exists on this LTM and it worked as expected, but not with this pool.
- What_Lies_Bene1Nov 05, 2012
Cirrostratus
Was the other Pool using SSL? Anyway, it would seem you're browser can't access the site or alternatively, the real servers don't have a route back to the client IP address (which MUST go via the F5). Can you check that please. It might also be useful if you could post the Virtual Server configuration in text form (tmsh list ltm...)
- Oleg_68955Nov 05, 2012
Nimbostratus
I have some progress thanks to the hints from Steve. I assigned SSL Profile (Client) to the Virtual server, but I'm not sure if I have to do the same with SSL Profile (Client) (we have pools with both and only with the SSL Profile (Client) set up) and now I have this results ffrom curl:
Enter host password for user 'username':
* About to connect() to mysite.com port 443 (0) * Trying x.x.x.x... connected * Connected to mysite.com (x.x.x.x) port 443 (0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-MD5 * Server certificate: * subject: C=US; ST=mystate; L=myplace; O=mycompany; CN=*.mysite.com * start date: 2012-05-23 00:00:00 GMT * expire date: 2014-05-23 23:59:59 GMT * common name: *.mysite.com (matched) * issuer: C=US; O=Thawte, Inc.; CN=Thawte SSL CA * SSL certificate verify ok. * Server auth using Basic with user 'username' > GET /Servlet HTTP/1.1 > Authorization: Basic dGNsYXNzaWZpZXIxNTp0ZXN0Q2xhc3MzLjU= > User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5 > Host: mysite.com > Accept: */* > * SSL read: error:00000000:lib(0):func(0):reason(0), errno 54 * Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 54
- What_Lies_Bene1Nov 05, 2012
Cirrostratus
That error code (54) is 'connection reset by peer' which backs up my theory that the server is routing traffic back to the client directly, not via the BIG-IP. - Oleg_68955Nov 05, 2012
Nimbostratus
It turns out that the issue is the value of SNAT Pool: It should be "Auto Map", not "None" as it was. This options is visible only when Advanced configuration is chosen, not Basic and that's why I missed that. Problem solved.
Steve, thanks for the help!
- What_Lies_Bene1Nov 06, 2012
Cirrostratus
You're welcome. - dd007_132137Aug 23, 2013
Nimbostratus
I am seeing the same error from curl as Oleg posted. I also have auto-map selected in my SNAT pool. Here's the error:
About to connect() to dd-test.api.devabcdcentral.com port 443 (0) * Trying 10.162.143.11... * connected * Connected to dd-test.api.devabcdcentral.com (10.162.143.11) port 443 (0) * successfully set certificate verify locations: * CAfile: ca.pem CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-SHA * Server certificate: * subject: C=US; ST=Missouri; L=Kansas CIty; O=abcd Corporation; CN=*.api.devabcdcentral.com * start date: 2013-02-25 17:23:45 GMT * expire date: 2015-02-26 00:57:04 GMT * subjectAltName: dd-test.api.devabcdcentral.com matched * issuer: C=US; O=Entrust, Inc.; OU=www.entrust.net/rpa is incorporated by reference; OU=(c) 2009 Entrust, Inc.; CN=Entrust Certification Authority - L1C * SSL certificate verify ok. > POST /collector/dropbox?datatype=test HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: dd-test.api.devabcdcentral.com > Accept: */* > Content-Length: 5746 > Expect: 100-continue > Content-Type: multipart/form-data; boundary=----------------------------8e653031b25f > * SSL read: error:00000000:lib(0):func(0):reason(0), errno 54 * Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 54
The command I am trying is:
curl https://dd-test.api.devabcdcentral.com/collector/dropbox?datatype=test -F myFile=@pom.xml -v --key key.pem --cacert ca.pem --cert client.pem:ddtest
Could someone please share some pointers on what could be wrong here? Just fyi, my iRule looks like this:
when HTTP_REQUEST { if {([string tolower [HTTP::host]] equals "collector.api.devabcdcentral.com")} { log local0. "I'm in your lost section logging your iRulez" } } when RULE_INIT { set static::tlsdebug 1 set static::cert_cache_time 3600 log local0. "********** I'm in new collector endpoints' iRule (0) ************ $static::cert_cache_time" } When a client starts the handshake, fall back to ignore mode this is for renegotiating an authenticated session. when CLIENTSSL_CLIENTHELLO { set sn [session lookup ssl [SSL::sessionid]] log local0. "********** I'm in new collector endpoints' iRule (1) ************ $sn" if {not ([info exists reneg]) || $reneg == 0} { SSL::cert mode ignore log local0. "********** Ignoring cert mode ************" } } when CLIENTSSL_HANDSHAKE { if { [SSL::cert count] > 0 } { Set the serial number for this request and stash it in session. set sn [string map {"" ""} [X509::serial_number [SSL::cert 0]]] session add ssl [SSL::sessionid] $sn $static::cert_cache_time Release the collected transaction. HTTP::release } set reneg 0 }