For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

krys-s_153533's avatar
krys-s_153533
Icon for Nimbostratus rankNimbostratus
Dec 01, 2015

iRule for redirect to proxy server.

Hello, Is it possible to run on F5 diversion for example, one address (in this case HTTPS) that the unit acted as a proxy server and for the address to redirect traffic to another proxy server (software squid is the option "cache_peer [ipaddress proxy] parent [proxy port] 0)?

 

I set the pool on the proxy server and port, I tried to set iRule:

 

 

when HTTP_REQUEST {

 

switch -glob [HTTP:host] {

 

"domain.domain.eu" {

 

HTTP::header replace https://domain.domain.eu

 

pool proxy

 

} } }

 

Regards, Krzysztof

 

application delivery
iRules
LTM

1 Reply

  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Dec 01, 2015

    Do you wish to forward a request from the BIG-IP to a pool of proxy servers, or do you intend for the BIG-IP to cache the content (which a squid caching server would do in this case)? Further, are you intending to accept HTTPS requests and, on the backend, also use TLS/HTTPS? Do you want to forward for just requests against a specific domain (domain.domain.eu in your example)?

    If you don't care about the domain and you are not caching the content on the BIG-IP, then you can use a straight fastL4 Virtual Server:

    If you want to handle requests only for specific domains, you have two choices:

    1. Use the CN on the certificate (and possibly the alts);
    2. Unencrypt on the BIG-IP and use the Host header (as you appear to be doing above).

    Assuming you require 2, you must create a Virtual Server with a client-ssl profile:

    If you subsequently must re-encrypt the request toward the parent cache, you must also use a server-ssl profile:

    From there, to forward only traffic for the specified domain, you may use an iRule:

    when HTTP_REQUEST {
    if { [getfield [string tolower [HTTP::host]] : 1] eq "domain.domain.eu" } {
        pool parent-proxy-pool
    }
}

    or with a Local Traffic Policy:

    ltm policy parent-proxy {
    controls { forwarding }
    requires { http }
    rules {
        rule-domain.domain.eu {
            actions {
                0 {
                    forward
                    select
                    pool pool-parent-proxy
                }
            }
            conditions {
                0 {
                    http-host
                    values { domain.domain.eu }
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}

    If you require local caching on the BIG-IP, that is a matter of provisioning Application Acceleration Manager (AAM) and assigning a to the listening Virtual Server.

    If I've completely misunderstood your question, I apologize in advance and look forward to hearing more :).