For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

marcusovsky_577's avatar
marcusovsky_577
Icon for Nimbostratus rankNimbostratus
Aug 23, 2011

LTM as a proxy

Hello, this is my first post so hope you can assist me ...     This is my scenario (using LTM version 9.4.8):     I need my LTM to configure as a full proxy for the following traffic flow:...
application delivery
dev
devops
iRules
Nat_Thirasuttakorn's avatar
Nat_Thirasuttakorn
Icon for Employee rankEmployee
Aug 25, 2011
Hi Mark,

I don't have answer to your question.

I just show you alternative iRule which can be example how to handle CONNECT method. (It is not well-written, btw)

- the part that handles CONNECT method is in client_data (you need to have tcp::collect in client_accepted so client_data can be fired)

- the idea is to detect if it starts with word "CONNECT", then resolve IP, then HTTP::disable

a few things to note

- this iRule does not contains any error handling (it needs extra work)

- I have this running with pre-v11 and never test with older version (sorry)

- this irule use new RESOLV::lookup command in v10. you might have to port this to use NAME::lookup if you want to stay in v9 


when CLIENT_ACCEPTED {
    snat automap
    TCP::collect
}
when CLIENT_DATA {
    if { [TCP::payload] starts_with "CONNECT" } {
        set uri [getfield [TCP::payload] " " 2]
        set host [getfield $uri ":" 1]
        set port [getfield $uri ":" 2]
        if { [catch {IP::addr $host mask 255.255.255.255} ] } {
            set ips [RESOLV::lookup @1.2.3.4 -a $host]
            set host [lindex $ips 0]
        }
        log local0.alert "[IP::client_addr] CONNECT: node $host $port"
        log local0.alert "[IP::client_addr] PAYLOAD: [TCP::payload]"
        node $host $port
        HTTP::disable
        TCP::respond "HTTP/1.0 200 Connection Established\r\n\r\n"
        TCP::payload replace 0 [TCP::payload length] ""
    }
    TCP::release
}
when HTTP_REQUEST {
    set method [HTTP::method]
    set host  [URI::host  [HTTP::uri]]
    set port  [URI::port  [HTTP::uri]]
    regexp {http://[^/]+(/[^?]*)?.*} [HTTP::uri] match path
    set query [URI::query [HTTP::uri]]
    if { $port eq "" } { set port 80 }
    log local0.alert "$method [HTTP::uri] => $host"
    if { [catch {IP::addr $host mask 255.255.255.255} ] } {
        set ips [RESOLV::lookup @1.2.3.4 -a $host]
        set host [lindex $ips 0]
    }
    if { $host eq "" } { 
        log local0.alert "unknown host"
        reject
        HTTP::respond 200 content "unknown host [HTTP::host]"
        return
    }
    if { $query eq "" } {
        HTTP::uri "${path}"
    } else {
        HTTP::uri "${path}?${query}"
    }
    log local0.alert "node $host $port uri=[HTTP::uri]"
    node $host $port
}