Forum Discussion
marcusovsky_577
Aug 23, 2011Nimbostratus
LTM as a proxy
Hello, this is my first post so hope you can assist me ...
This is my scenario (using LTM version 9.4.8):
I need my LTM to configure as a full proxy for the following traffic flow:...
Hi Mark,
The LTM can't really become a full proxy in the sense of proxy systems such as squid and Ironport or bluecoat.
There is a limited proxy iRule that Hoolio had written up (it's not HTTP Connect method and it doesn't HTTPS)
web proxy example
This is a simple, incomplete example web proxy iRule.
It only supports limited proxy functionality of converting the requested host
(from an absolute URI or the Host header) to an IP address and sending the request on.
It doesn't support CONNECT/HTTPS or most other RFC2616 requirements for a web proxy.
when HTTP_REQUEST {
log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]"
Check if the URI is absolute and http://
if {[string tolower [HTTP::uri]] starts_with "http://"}{
Parse the host value from the URI
set host [URI::host [HTTP::uri]]
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]"
} else {
set host [HTTP::host]
}
Check if host header has a port
if {$host contains ":"}{
Scan the host header to parse the host and port
if {[scan $host {%[^:]:%s} host port] == 2}{
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port"
} else {
Host value was host: without a port. Use the requested port.
set port [TCP::local_port]
}
} else {
Host header didn't have a port. Use the requested port.
set port [TCP::local_port]
}
Check if the host header isn't an IP address (ie, it contains an alpha character)
if {[string match {*[a-zA-Z]*} $host]}{
log local0. "[IP::client_addr]:[TCP::client_port]: Host value not an IP: $host"
Perform a DNS lookup of the hostname
NAME::lookup $host
Hold the request until name resolution completes
HTTP::collect
} elseif {[catch {IP::addr $host mask 255.255.255.255}]==0}{
log local0. "[IP::client_addr]:[TCP::client_port]: Host is an IP: [HTTP::host]"
Request was to a valid IP address, so use that as the destination
node $host $port
} else {
Couldn't parse host header. Could use the destination IP address as the destination?
HTTP::respond 400 content "Invalid Host header"
log local0. "[IP::client_addr]:[TCP::client_port]: Invalid host header: [HTTP::host]"
}
}
when NAME_RESOLVED {
set response [NAME::response]
log local0. "[IP::client_addr]:[TCP::client_port]: Resolution response: $response (elements: [llength $response])"
Check if there is a resolution answer and it's an IP address
switch [llength $response] {
0 {
No response, or response wasn't an IP address
log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"
HTTP::respond 500 content "Couldn't process request"
}
default {
Response was one or more list entries. Use the first list element. Check if it's an IP address.
if {[catch "IP::addr [lindex $response 0] mask 255.255.255.255"]==0}{
Request was to a valid IP address, so use that as the destination
if {$port != "" and [string is integer $port]}{
log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with parsed port [lindex $response 0]:$port"
node [lindex $response 0] $port
} else {
log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with default port $response:[TCP::local_port]"
node [lindex $response 0] $::default_port
}
} else {
No response, or response wasn't an IP address
log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"
HTTP::respond 500 content "Couldn't process request"
}
}
}
Release the request
HTTP::release
}
You will probably need to do the following to enable the DNS lookups
http://ask.f5.com/kb/en-us/solutions/public/8000/400/sol8437.html
I hope this helps
Bhattman
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects