HTTP full transparent proxy balancing

Question

I need to set up load balancing between more HTTP proxy servers in full transparent mode - typically only client is not aware of the proxy server, but I need full transparency, which means that also web-server is not aware of the proxy server (it sees client’s IP address as source instead of proxy server IP).&nbsp;
&nbsp;I have checked F5 forums and docs and only idea which I have so far is:&nbsp;
&nbsp;1.    Clients send request to internet site with destination IP the real internet IP of the site Routing make sure is forwarded to F5.&nbsp;
&nbsp;2.    F5  has a wildcard virtual server running on any IP and on port 80 which gets the request and forwards it to one of the proxy servers (e.g. round robin balancing)&nbsp;
&nbsp;3.    Proxy server sends the request to internet site and adds a HTTP header with the name X-Forwarded-for which has as a value the IP of client&nbsp;
&nbsp;4.    F5 receives the request from proxy server because it has a default gateway the F5&nbsp;
&nbsp;5.    The request from the proxy server is processed by a virtual server and more specifically by an iRule on F5 which looks at the value of the X-Forwarded-for header and performs SNAT on the request from proxy to internet.&nbsp;
&nbsp;6.    The internet site will see as a SRC IP the IP of the client and not the IP of the proxy server or F5.&nbsp;
&nbsp;7.    The routing make sure that the response traffic from the internet site will go back to F5 which will forward the response to proxy server.&nbsp;
&nbsp;As the load balancer will be used F5 Big-IP 6900 (OS version 10.2.0). Current network topology is as follows (but it can be changed as needed):&nbsp;
&nbsp;Client --- F5 --- Internet
&nbsp;                |
&nbsp;        Proxy servers&nbsp;
&nbsp;I would like kindly ask you to review my solution and confirm that it is feasible or propose any other option how to achieve full transparency with F5 features/functionality?  Preferably without necessity of using X-forwarded-for header enrichment.&nbsp;
&nbsp;Just one option to think about.  The proxy server can act as full transparent proxy itself, so it can send HTTP requests to the internet already with client’s IP instead of its own IP.  But in this case I have no idea how to instruct F5 box to forward incoming HTTP responses to the correct proxy server (correct = previously selected by load balancing algorithm). Any clue?&nbsp;
&nbsp;Thanks in advance.&nbsp;&nbsp;

cspillane_18296 · Answer

Hello Vilem, 
&nbsp;  
&nbsp; it sounds as though you may wish to make use of persistence which is explained in its various forms here: 
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_persist_profiles.html 
&nbsp;  
&nbsp; Usually for a transparent proxy it is placed inline, rather than hanging off the network as you currently appear to have it placed in your network. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Chris 
&nbsp;  &nbsp;

vilem_96451 · Answer

Hi Chris,thanks for the clue, but it seems the persistent profiles are only applicable on the client side. I try to describe the essence of the problem.&nbsp;&nbsp;&nbsp;C - client's IP address&nbsp;S - webserver's IP address&nbsp;&nbsp;&nbsp;I have couple of full transparent proxy servers. To balance incoming request from the client is no problem - I have created wildcard virtual server which forwards the packet to one of the proxy servers, without changing the IP header - it is still src_IP=C, dest_IP=S.&nbsp;&nbsp;&nbsp;The proxy server is (can behave as) full proxy device, so it sends the packet to the internet again without changing the IP header (src=C, dst=S). This packet goes to Internet again through the F5 box, which acts currently only as a router (IP forwarding virtual server). &nbsp;&nbsp;&nbsp;And now we get to the core of the problem. The webserver sends the response (src_IP=S,dest_IP=C). Routing make sure the packet arrives on the F5 box.  And right now I need F5 box to forward this packet to the relevant proxy server, but the IP header doesn't contain such information (it is src_IP=S,dest_IP=C). &nbsp;&nbsp;&nbsp;I suppose there must be created some persistence record somewhere. May be when the load-balancing decision is made? We have all information to identify the session - client's IP, server's IP, selected proxy server. And then it should be somehow applied to the incoming packets. &nbsp;&nbsp;&nbsp;Or&nbsp;&nbsp;&nbsp;when the packet leaves the proxy server and is forwarded by F5 box to Internet? For example based on the client's IP, webserver's IP and the proxy' server's MAC address? &nbsp;&nbsp;&nbsp;May be this approach is completely wrong. I don't now how the F5 handle the flows.   Of course I can always use the trick with X-forwarded-for line in HTTP header, but I believe the F5 can handle it more elegant way :-).&nbsp;&nbsp;&nbsp;Please help.&nbsp;Vilem&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

Forum Discussion

HTTP full transparent proxy balancing

Recent Discussions

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

ports are showing open on online scanning tool

Related Content

Transparent load balancing in Azure, Part 2

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Transparent Load Balancing in Azure

Integrating SSL Orchestrator with Symantec ProxySG: Transparent Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS