Forum Discussion
hc_andy_35682
Nimbostratus
NimbostratusOneConnect and Proxy/Squid Load Balancing
Hi All,
We provide proxy services (http/https) to a large number of schools (each with their own static IP). Each school can have 1000's of connections to the virtual server at any time...
mikand_61525Nimbostratus
NimbostratusSure, I hope the attached code is enough to reproduce this?
The setup is:
Physical address of the forward http(s)-proxy is 10.1.1.254 which listens to 3128 for http and 3129 for https (in this test-setup I just use one box, in true scenario there will more than one).
This is verified to work when you in your browser (firefox) sets the following settings:
Manual proxy configuration:
HTTP Proxy: 10.1.1.254:3128
SSL Proxy: 10.1.1.254:3129
Virtual address of the forward http(s)-proxy is 10.2.1.1 which also listens to 3128 for http and 3129 for https.
Which means that you need these settings in your browser to let F5 do its magic (both as loadbalancer but also as protocol inspector):
Manual proxy configuration:
HTTP Proxy: 10.2.1.1:3128
SSL Proxy: 10.2.1.1:3129
The VS_PROXY_HTTP uses http profile, http class, analytics, oneconnect and a small tcp-lan-optimized tweak and works like a charm.
The VS_PROXY_HTTPS doesnt so I (in the uploaded code) have disabled http profile which also means that I am forced to disable the http class AND analytics 😞 in order to make it work. If you enable the http profile you will notice that the F5 will just send FIN-ACK in return as soon as the client sends its "CONNECT https://www.example.com:443/".
As a sidenote I have also tried to disable oneconnect (even if its enabled in the uploaded code).
The configuration is pretty straight forward (sure I have tweaked the monitors but thats just to make it less aggressive because each ping etc generates log-entries in the forward-proxy).
The logical flow for the packets is more or less:
client -> F5 -> forward-http(s)-proxy -> application firewall -> external net
The application firewall is set to do SSL-termination so I could load the private key used for this in the F5 and use as server-ssl if needed, but then again - I believe the problem is in how the http profile functions (my best guess so far is that the http profile doesnt allow "CONNECT" as method) simply because the VS_PROXY_HTTPS works when I disable the http profile.
There is also a new setting (I think when you setup client/server-ssl) named "proxy ssl" which I wonder if it would help in my case?
Oh and the firmware used is v11.1.
ltm default-node-monitor {
rule /Common/ICMP_PROXY
}
ltm node /Common/PROXY1 {
address 10.1.1.254
}
ltm pool /Common/POOL_PROXY_HTTP {
load-balancing-mode fastest-node
members {
/Common/PROXY1:3128 {
address 10.1.1.254
}
}
monitor /Common/inband and /Common/TCP_PROXY
service-down-action reset
}
ltm pool /Common/POOL_PROXY_HTTPS {
load-balancing-mode fastest-node
members {
/Common/PROXY1:3129 {
address 10.1.1.254
}
}
monitor /Common/inband and /Common/TCP_PROXY
service-down-action reset
}
ltm virtual /Common/VS_PROXY_HTTP {
destination /Common/10.2.1.1:3128
http-class {
/Common/HTTPCLASS_PROXY
}
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/SOURCE_ADDR_PROXY {
default yes
}
}
pool /Common/POOL_PROXY_HTTP
profiles {
/Common/ANALYTICS_PROXY { }
/Common/HTTP_PROXY { }
/Common/ONECONNECT_PROXY { }
/Common/TCP-LAN-OPTIMIZED_PROXY { }
}
vlans-disabled
}
ltm virtual /Common/VS_PROXY_HTTPS {
destination /Common/10.2.1.1:3129
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/SOURCE_ADDR_PROXY {
default yes
}
}
pool /Common/POOL_PROXY_HTTPS
profiles {
/Common/ONECONNECT_PROXY { }
/Common/TCP-LAN-OPTIMIZED_PROXY { }
}
vlans-disabled
}
ltm virtual-address /Common/10.2.1.1 {
address 10.2.1.1
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm monitor icmp /Common/ICMP_PROXY {
defaults-from /Common/icmp
destination *
interval 15
time-until-up 0
timeout 46
}
ltm monitor tcp /Common/TCP_PROXY {
defaults-from /Common/tcp
destination *:*
interval 15
time-until-up 0
timeout 46
}
ltm persistence source-addr /Common/SOURCE_ADDR_PROXY {
app-service none
defaults-from /Common/source_addr
timeout 3600
}
ltm profile analytics /Common/ANALYTICS_PROXY {
captured-traffic-external-logging disabled
captured-traffic-internal-logging enabled
collect-geo enabled
collect-http-throughput enabled
collect-ip enabled
collect-methods enabled
collect-page-load-time enabled
collect-response-codes enabled
collect-server-latency enabled
collect-url enabled
collect-user-agent enabled
collect-user-sessions enabled
collected-stats-external-logging disabled
collected-stats-internal-logging enabled
defaults-from /Common/analytics
description none
notification-by-email disabled
notification-by-snmp disabled
notification-by-syslog disabled
remote-server-ip any6
remote-server-port 514
remote-server-syslog-facility local0
session-timeout 300
session-timeout-minutes 5
traffic-capture {
capturing-for-ANALYTICS_PROXY {
captured-protocols all
}
}
trust-xff enabled
}
ltm profile http /Common/HTTP_PROXY {
app-service none
defaults-from /Common/http
security enabled
}
ltm profile httpclass /Common/HTTPCLASS_PROXY {
app-service none
asm enabled
defaults-from /Common/httpclass
}
ltm profile one-connect /Common/ONECONNECT_PROXY {
app-service none
defaults-from /Common/oneconnect
max-age 3600
source-mask 255.255.255.255
}
ltm profile tcp /Common/TCP-LAN-OPTIMIZED_PROXY {
app-service none
defaults-from /Common/tcp-lan-optimized
proxy-buffer-high 280000
proxy-buffer-low 277000
}