LTM like Web Proxy (Squid)

Hi Jayme,

 

 

LTM cannot provide web proxy functionality using default configuration. I've tried to do this in an iRule, but it's still not full web proxy functionality.

 

 

Aaron

Hi Aaron,

 

 

Please, you have an basic irule to implement squid in LTM ? I need only basic web proxy functionality.

 

 

Thanks.

 

I did preliminary testing of this iRule to handle proxied requests. If you try this and run into issues, can you provide details?

  
  web proxy example 
  
  This is a simple, incomplete example web proxy iRule. 
  It only supports limited proxy functionality of converting the requested host  
     (from an absolute URI or the Host header) to an IP address and sending the request on.   
  It doesn't support CONNECT/HTTPS or most other RFC2616 requirements for a web proxy. 
  
 when HTTP_REQUEST { 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]" 
  
     Check if the URI is absolute and http:// 
    if {[string tolower [HTTP::uri]] starts_with "http://"}{ 
  
        Parse the host value from the URI 
       set host [URI::host [HTTP::uri]] 
       log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]" 
  
    } else { 
       set host [HTTP::host] 
    } 
  
     Check if host header has a port 
    if {$host contains ":"}{ 
  
        Scan the host header to parse the host and port 
       if {[scan $host {%[^:]:%s} host port] == 2}{ 
  
          log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port" 
  
       } else { 
           Host value was host: without a port. Use the requested port. 
          set port [TCP::local_port] 
       } 
    } else { 
  
        Host header didn't have a port. Use the requested port. 
       set port [TCP::local_port] 
    } 
     Check if the host header isn't an IP address (ie, it contains an alpha character) 
    if {[string match {*[a-zA-Z]*} $host]}{ 
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Host value not an IP: $host" 
  
        Perform a DNS lookup of the hostname 
       NAME::lookup $host 
  
        Hold the request until name resolution completes 
       HTTP::collect 
  
    } elseif {[catch {IP::addr $host mask 255.255.255.255}]==0}{ 
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Host is an IP: [HTTP::host]" 
  
        Request was to a valid IP address, so use that as the destination 
       node $host $port 
  
    } else { 
  
        Couldn't parse host header.  Could use the destination IP address as the destination? 
       HTTP::respond 400 content "Invalid Host header" 
       log local0. "[IP::client_addr]:[TCP::client_port]: Invalid host header: [HTTP::host]" 
    } 
 } 
 when NAME_RESOLVED { 
  
    set response [NAME::response] 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: Resolution response: $response (elements: [llength $response])" 
  
     Check if there is a resolution answer and it's an IP address 
    switch [llength $response] { 
  
       0 { 
           No response, or response wasn't an IP address 
          log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response" 
  HTTP::respond 500 content "Couldn't process request" 
       } 
       default { 
  
           Response was one or more list entries.  Use the first list element.  Check if it's an IP address. 
          if {[catch "IP::addr [lindex $response 0] mask 255.255.255.255"]==0}{ 
  
              Request was to a valid IP address, so use that as the destination 
             if {$port != "" and [string is integer $port]}{ 
                log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with parsed port [lindex $response 0]:$port" 
                node [lindex $response 0] $port 
             } else { 
                log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with default port $response:[TCP::local_port]" 
                node [lindex $response 0] $::default_port 
             } 
          } else { 
              No response, or response wasn't an IP address 
             log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response" 
     HTTP::respond 500 content "Couldn't process request" 
          } 
       } 
    } 
     Release the request 
    HTTP::release 
 } 
 

Aaron

Hi Aaron,

 

 

Sorry, but there were errors:

 

 

01070151:3: Rule [proxy_irule] error: line 6: [parse error: missing close-brace] [{ log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]" Check if host header has a port if {[HTTP::host] contains ":"}{ Scan the host header to parse the host and port if {[scan [HTTP::host] {%[^:]:%s} host port] == 2}{ log local0. "[IP::client_addr]:[TCP::client_port]: \$host:\$port: $host:$port" } else { Host header didn't have a value for host and port if {not ([info exists host]}{ set host "" } else { set port "" } } else { Host header didn't have a port set host [HTTP::host] set port "" } Check if the host header isn't an IP address (ie, it contains an alpha character) if {[string match {*[a-zA-Z]*} $host]}{ log local0. "[IP::client_addr]:[TCP::client_port]: Host not an IP: [HTTP::host]"

 

 

My LTM is version 10.0.1.

 

 

Thanks.

 

Sorry about that. I had made a few tweaks to the host header parsing and didn't check the syntax afterwards. I updated the last version to also check for absolute HTTP URIs and parse the host from there if present instead of using the Host header.

 

 

Other than that, this example leaves a lot to be desired in terms of RFC2616 web proxy requirements. Most notably, it doesn't handle HTTPS or the CONNECT method.

 

 

Aaron

hi aaron,

 

 

sorry before, but i've got error like this:

 

 

Nov 4 10:19:31 local/tmm info tmm[3914]: Rule stage2_proxy_emul : 10.140.1.2:32960: Non-existent/invalid response:

 

Nov 4 10:19:49 local/tmm info tmm[3914]: Rule stage2_proxy_emul : 10.140.1.2:32960: New HTTP GET request to www.gmail.com, http://www.gmail.com/

 

Nov 4 10:19:49 local/tmm info tmm[3914]: Rule stage2_proxy_emul : 10.140.1.2:32960: Parsed www.gmail.com from URI http://www.gmail.com/

 

Nov 4 10:19:49 local/tmm info tmm[3914]: Rule stage2_proxy_emul : 10.140.1.2:32960: Host value not an IP: www.gmail.com

 

Nov 4 10:19:49 local/tmm info tmm[3914]: Rule stage2_proxy_emul : 10.140.1.2:32960: Resolution response: (elements: 0)

 

Nov 4 10:19:49 local/tmm info tmm[3914]: Rule stage2_proxy_emul : 10.140.1.2:32960: Non-existent/invalid response:

 

 

have been experience this?, i'm on LTM 10.0.1

Hi Fadhil,

 

 

I haven't tested name resolution in v10. If no one here has a suggestion for configuring this, you might try opening a case with F5 Support asking them for confirmation of any config changes that are required.

 

 

Aaron

Hi aaron,

 

 

Just verifiying the VS configuration, can you help me providing your VS running configuration? is it wildcard or single address? translation, pools, snat, others?

 

 

Very thanks before...

 

 

Fadhil

Hi Arron,

 

 

it works!! there's SOL5299 for DNS resolution , and the HTTP proxy works like a charm, but still no HTTPS/CONNECT function, any ideas?

 

 

Thanks

 

Fadhil

Hi Fadhil,

 

 

Sorry, I thought you were saying you had DNS set up on LTM but it wasn't working from the iRule.

 

 

I'm not sure how to support HTTPS or the CONNECT method. I can try looking into this, but I don't think I will have much time in the near future.

 

 

Aaron