Forum Discussion
NimbostratusProxy Bypass
We are using the LTM to direct traffic to our proxy servers it is currently in line with our firewall and We are using the following IRule to bypass the proxy for http, we need to do the same type of thing with HTTPS and FTP but are running into problems. we have tried changing to HTTP_REQUEST to CLIENT_ACCEPTED and HTTP::host to URI::host
when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] contains bypass_list] } { pool External_gateway } }
7 Replies
- nitass
Employee
we need to do the same type of thing with HTTPS and FTP but are running into problems.
isn't it easier to create https (0.0.0.0:443/0) and ftp (0.0.0.0:21/0) virtual servers and set gateway as a pool?
Mike_Rinaldi_77we have the 0.0.0.0/443 and 0.0.0.0/21 virtual servers set to our proxy pool, we only want specific sites listed in bypass_list to go to the external gateway.
- nitass
can you try something like this? bypass_ip_list is destination ip address data group.
e.g.
when CLIENT_ACCEPTED { if { [class match -- [IP::local_addr] equals bypass_ip_list] } { pool External_gateway } } - Mike_Rinaldi_77
wouldn't that just create a list of clients that would than be able to bypass the proxy for FTP and HTTPS?
- Kevin_Stewart
The most immediate problem, I'm assuming here, is that you're trying to get the HTTP host name inside an encrypted 0.0.0.0:443/0 VIP. You would need to decrypt the SSL to know what it was, and that would be difficult given the wildcard config. Can you differentiate the bypass list by IP address instead?
- nitass
wouldn't that just create a list of clients that would than be able to bypass the proxy for FTP and HTTPS?
i thought it is based on destination (not source/client) because in case of http, you are using HTTP::host.
uniAltocumulus
No need to decrypt the packet. This is a transparent proxy, so the client will have resolved the name to the correct address and [IP::local_addr] will be the remote server's IP address per nitass' example.
