Hi all, I am beginner with the F5. I need to configure the LTM as a web proxy (squid). This is possible? Thanks. Jayme.

Hi Jayme, LTM cannot provide web proxy functionality using default configuration. I've tried to do this in an iRule, but it's still not full web proxy functionality. Aaron

Hi Aaron, Please, you have an basic irule to implement squid in LTM ? I need only basic web proxy functionality. Thanks.

I did preliminary testing of this iRule to handle proxied requests. If you try this and run into issues, can you provide details? web proxy example This is a simple, incomplete example web proxy iRule. It only supports limited proxy functionality of converting the requested host (from an absolute URI or the Host header) to an IP address and sending the request on. It doesn't support CONNECT/HTTPS or most other RFC2616 requirements for a web proxy. when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]" Check if the URI is absolute and http:// if {[string tolower [HTTP::uri]] starts_with "http://"}{ Parse the host value from the URI set host [URI::host [HTTP::uri]] log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]" } else { set host [HTTP::host] } Check if host header has a port if {$host contains ":"}{ Scan the host header to parse the host and port if {[scan $host {%[^:]:%s} host port] == 2}{ log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port" } else { Host value was host: without a port. Use the requested port. set port [TCP::local_port] } } else { Host header didn't have a port. Use the requested port. set port [TCP::local_port] } Check if the host header isn't an IP address (ie, it contains an alpha character) if {[string match {*[a-zA-Z]*} $host]}{ log local0. "[IP::client_addr]:[TCP::client_port]: Host value not an IP: $host" Perform a DNS lookup of the hostname NAME::lookup $host Hold the request until name resolution completes HTTP::collect } elseif {[catch {IP::addr $host mask 255.255.255.255}]==0}{ log local0. "[IP::client_addr]:[TCP::client_port]: Host is an IP: [HTTP::host]" Request was to a valid IP address, so use that as the destination node $host $port } else { Couldn't parse host header. Could use the destination IP address as the destination? HTTP::respond 400 content "Invalid Host header" log local0. "[IP::client_addr]:[TCP::client_port]: Invalid host header: [HTTP::host]" } } when NAME_RESOLVED { set response [NAME::response] log local0. "[IP::client_addr]:[TCP::client_port]: Resolution response: $response (elements: [llength $response])" Check if there is a resolution answer and it's an IP address switch [llength $response] { 0 { No response, or response wasn't an IP address log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response" HTTP::respond 500 content "Couldn't process request" } default { Response was one or more list entries. Use the first list element. Check if it's an IP address. if {[catch "IP::addr [lindex $response 0] mask 255.255.255.255"]==0}{ Request was to a valid IP address, so use that as the destination if {$port != "" and [string is integer $port]}{ log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with parsed port [lindex $response 0]:$port" node [lindex $response 0] $port } else { log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with default port $response:[TCP::local_port]" node [lindex $response 0] $::default_port } } else { No response, or response wasn't an IP address log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response" HTTP::respond 500 content "Couldn't process request" } } } Release the request HTTP::release } Aaron

Hi Aaron, Sorry, but there were errors: 01070151:3: Rule [proxy_irule] error: line 6: [parse error: missing close-brace] [{ log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]" Check if host header has a port if {[HTTP::host] contains ":"}{ Scan the host header to parse the host and port if {[scan [HTTP::host] {%[^:]:%s} host port] == 2}{ log local0. "[IP::client_addr]:[TCP::client_port]: \$host:\$port: $host:$port" } else { Host header didn't have a value for host and port if {not ([info exists host]}{ set host "" } else { set port "" } } else { Host header didn't have a port set host [HTTP::host] set port "" } Check if the host header isn't an IP address (ie, it contains an alpha character) if {[string match {*[a-zA-Z]*} $host]}{ log local0. "[IP::client_addr]:[TCP::client_port]: Host not an IP: [HTTP::host]" My LTM is version 10.0.1. Thanks.

Sorry about that. I had made a few tweaks to the host header parsing and didn't check the syntax afterwards. I updated the last version to also check for absolute HTTP URIs and parse the host from there if present instead of using the Host header. Other than that, this example leaves a lot to be desired in terms of RFC2616 web proxy requirements. Most notably, it doesn't handle HTTPS or the CONNECT method. Aaron

LTM like Web Proxy (Squid)

21 Replies

dom_chang_23836
Nimbostratus
Nov 17, 2009
Posted By Fadhil Marus (TSID) on 11/08/2009 9:53 PM

Hi Arron,

it works!! there's SOL5299 for DNS resolution , and the HTTP proxy works like a charm, but still no HTTPS/CONNECT function, any ideas?

Thanks

Fadhil

so what was the irule that worked with plain http?
hoolio
Cirrostratus
Nov 18, 2009
Hi Dom,

Fadhil was talking about the iRule posted above:

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&postid=85518&view=topic85545

Aaron
dom_chang_23836
Nimbostratus
Nov 18, 2009
Thanks Aaron but he reported errors with it, but regardless, found another way around the issue....thanks anyways.
hoolio
Cirrostratus
Nov 18, 2009
Yep--which I fixed in the same post. Anyhow, it's not a fully functional rule and I am not sure it's plausible to implement full web proxy functionality in an iRule. So if you've found another solution that would probably be better.

Aaron
The_Bhattman
Nimbostratus
Nov 19, 2009
It would be so nice in future versions the iRule unlocked TCL command "http". The things I could do that ;-)

Bhattman
t123444_89792
Nimbostratus
Jun 15, 2010
Works great! Had to do some modifications for the port detection, didn't work straight out of the box with v10.1.

Check if host header has a port if {$host contains ":"}{

I had to use [HTTP::host] instead of $host there to get it rolling.

Would I be able to make this to do HTTP --> HTTPS transition (with chosen SSL-profile) just by modifying this, or is that too complicated? I mean traffic sent to LTM in private network would be HTTP, and them LTM would send it to public network using HTTPS with chosen profile.
hoolio
Cirrostratus
Jun 15, 2010
And actually, you could update the iRule for 10.1+ to use RESOLV::lookup instead of NAME::lookup. The RESOLV::lookup command should be more efficient than NAME::lookup:

http://devcentral.f5.com/wiki/default.aspx/iRules/resolv__lookup

The functional difference between the two is that RESOLV::lookup suspends and returns the result inline, whereas NAME::lookup continues and eventually causes NAME_RESOLVED to fire and then you need to call NAME::response to retrieve it.

Aaron
t123444_89792
Nimbostratus
Jun 16, 2010
Thanks for the tips Aaron

If I recall correctly, the problem was that the value of $host didn't contain the port or the colon, so I used [HTTP::host] instead which fixed the issue.

I will try the RESOLV::lookup and SSL profile.
Spidey_29396
Nimbostratus
Feb 20, 2012
Hi Aaron,

Do the iRule you provided have URL redirect functionality and do we still need to define pool in the VS?
Spidey_29396
Nimbostratus
Feb 21, 2012
Hi Fadhil,

What's the configuration of your VS?

Thanks!