Forum Discussion

SCRN's avatar
SCRN
Icon for Altostratus rankAltostratus
Dec 05, 2022

iRule for web proxy for only 2 address in internet

Hello, i create proxy by the manual
https://community.f5.com/t5/technical-articles/configure-the-f5-big-ip-as-an-explicit-forward-web-proxy-using/ta-p/286647

After that i want create custom iRule or other solution for next task:

source address - 5 servers in dmz zone
destination address to inet only 2 addresses: 
https://login.microsoftonline.com
https://graph.microsoft.com

first of all i need to create data gorup list with string this url and attached to irule or all all the information only in irule?

Pls can somebody you share manual or example for that solution.

  • Hi SCRN, 

    if the Explicit Forward Proxy is already working for you, you could simply attach an iRule to the Virtual Server to filter your Client IP and Destination URLs.

     

    when CLIENT_ACCEPTED {	
    	if { [class match -- [IP::client_addr] equals HTTP_PROXY_CLIENTS] == 1 } then {
    		# Allow trusted clients...
    		log local0.debug "Trusted Client = [IP::client_addr]"
    	} else {
    		# Drop untrusted clients...
    		log local0.debug "Untrusted Client = [IP::client_addr]"
    		drop
    	}
    }
    when HTTP_PROXY_REQUEST {
    	if { [class match -- [HTTP::host] equals HTTP_PROXY_ALLOW_LIST] == 1 } then {
    		# Allow known URLs...
    		log local0.debug "Allowed URL = [HTTP::host]"
    	} else {
    		# Reject unknown URLs...
    		log local0.debug "Denied URL = [HTTP::host]"
    		HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
    		drop
    	}
    }

     

    Note: Remove or adjust the Log lines as needed...

    The iRule uses two Datagroups to specify the allowed Client-IPs and allowed destination IPs. 

    Note: You can enter individual Client IPs or Subnets as CIDR notation.

    Note: You may enter www.domain.de:443 for SSL sites and/or www.domain.de for HTTP sites. 

    Cheers, Kai

  • SCRN's avatar
    SCRN
    Icon for Altostratus rankAltostratus

    Second questions: i need attached this irule for wildcard vip too or only for proxy vip?

    • Hi SCRN,

      The wildcard VIP and also the HTTP Tunnel are both not needed to run an Explicit HTTP Proxy. Dont know why the author included them?

      You may check a guide published by Stanislas_Piro2 as alternative. You just need a VS, a custom HTTP Profile and a DNS resolver. Nothing more... Then attach the provided iRule to the VS hosting the Explicit Proxy.

      Use F5 LTM as HTTP Proxy - DevCentral (Only apply the steps from "Create HTTP Proxy Virtual Server")

      Cheers, Kai