For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ashish_205344's avatar
Ashish_205344
Icon for Nimbostratus rankNimbostratus
Jun 18, 2018

HTTP Forward Proxy Access FIlter

I have implemented F5 as explicit forward proxy, now to add further, i need to add some HTTP filtering so that Servers in Group A can only access external domains defined in Group A, likewaise for 10...
AFM
application delivery
iRules
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jun 18, 2018

Hi,

AFM is a Layer 4 firewall. it won't filter on HTTP host.

you can :

  • create a data group with all allowed sites:

    ltm data-group internal Proxy_allowed_hosts {
    records {
        www.f5.com { }
        www.google.fr { }
    }
    type string
}

  • use this ltm policy (load it with 

    load sys config merge from-terminal
    )

    ltm policy FORWARD_PROXY_FILTER {
    controls { forwarding }
    last-modified 2018-06-18:09:11:14
    requires { http http-explicit }
    rules {
        whitelist-http-proxy {
            conditions {
                0 {
                    http-uri
                    proxy-request
                    host
                    datagroup Proxy_allowed_hosts
                }
            }
        }
        whitelist-connect {
            conditions {
                0 {
                    http-method
                    proxy-request
                    values { CONNECT }
                }
                1 {
                    http-uri
                    proxy-request
                    starts-with
                    datagroup Proxy_allowed_hosts
                }
            }
            ordinal 1
        }
        redirect_unknown_host {
            actions {
                0 {
                    http-reply
                    proxy-request
                    redirect
                    location http://www.google.fr
                }
                1 {
                    log
                    proxy-request
                    write
                    facility local0
                    message tcl:[HTTP::uri]
                    priority info
                }
            }
            ordinal 2
        }
    }
    status published
    strategy first-match
}