Forum Discussion
NimbostratusiRule - SSL Forward proxy bypass, some sites won't work.
I have a F5 BIG-IP working as a forward ssl proxy, but some sites just won't work. Thats why I have developed a iRule to have a bypass list based on IP addresses.
Traffic-flow is like this.
Client -> Catch All VS for all traffic, or VS with port 443 for SSL traffic -> iRule -> Forward to pool that contains a Checkpoint - > Checkpoint routing points back to F5 -> New Catch all VS that forwards traffic and Automap -> Internet router -> Internet.The start of the iRule:
when CLIENT_ACCEPTED {
log local0.alert "[IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port]"
On TCP session initiation, we dont know if this is going to be SSL or otherwise
so disable SSL and HTTP profiles and then collect the payload
if { [ class match [IP::local_addr] equals bypass-dst ] } {
log local0.alert "*** Bypass SSL for IP [IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port]"
SSL::disable clientside
SSL::disable serverside
HTTP::disable
pool pool-checkpoint-internal
}
The iRules works for most sites, we then get the proper certificates and not the internal generated one. But there is still some sites that won't work.
For example: https://www.fulfilment-portal.stralfors.se/ is the one I am having issues with now. This is a TLS1.0 site with old ciphers, so I was thinking the F5 is dropping the connection based on that? But I have no ssl-profiles associated with the Catch All VS that handles Automap and forwards to internet. So the F5 should not do anything with the traffic? Or is there some interface\self-ip setting I need to tweak?
It's kinda frustrating to not be able to let traffic flow directly trough, I don't want the F5 to change or do anything with the traffic on the bypass list.
7 Replies
Michael_Koyfma1Cirrus
The best way of disabling SSL Intercept in the SSL Forward Proxy Scenario is to use SSL Bypass settings in the SSL profile. Can you give it a try and see if you still have the same issue?
ReWrite_132188Are you talking about the lists? I find them not working as intended... but I can give it a go.
- Michael_Koyfma1
Sorry, meant to post URL originally - please try this and post what does not work:
Sec-Enabled_658Cirrostratus
I did some testing with the ssl forward proxy with the bypass option. The problem that I was seeing is that traffic wasn't matching categories until I updated the SWG database. Did you do an update of the Database?
- ReWrite_132188
I am not using the SWG in conjunction with SSL Forward proxy. This is just LTM + SSL Forward Proxy enabled. :/
- boneyard
MVP
im not quite getting the issue at this point. is it that even with the bypass the connection to the .se site fails? does it work for the same client if you bypass the F5 / CP / ...?
i also don't understand the need of the Check Point, might IPS or such be active?
- Kevin_Stewart
Employee
So what is the rest of the iRule doing? You may have luck with the SSL Intercept iApp, which is basically doing the same thing you're describing and can support your configuration.
So does the forward proxy source address bypass option work? You just have to create an address-based data group with each IP (as address - no value needed) that you want to bypass.
That site in particular supports TLSv1 with TLS_RSA_WITH_AES_256_CBC_SHA so any BIG-IP version (11.4 - 12.0) should be able to work. Do you know why your config isn't working for this site? have you done an ssldump capture on the server side of the proxy to see what's going on?
