Forum Discussion
bensimmons_9230
Nimbostratus
NimbostratusProxyPass 8.2 external web proxy
Hello All,
I am running BIG-IP 9.4.8 Build 385.0 Hotfix HF2 with ProxyPass v8.2 (https://devcentral.f5.com/wiki/iRules.ProxyPass.ashx)
I am trying to use the ProxyPass iRule to proxy external websites through a domain owned by my company. Say my company owns the following address:
https://mycompany.com/proxy/fandango.com (SSL)
I want this to proxy the actual fandango.com:
http://fandango.com (HTTP)
This is important due to a web application that needs to stay within our domain. Based on other threads here, I created a pool with fandango.com as the member, and then configured ProxyPass to proxy using this pool with the following entry in the appropriately named ProxyPass data group:
/proxy/fandango.com fandango.com fandango.com (clientURL serverURL pool)
SNAT Automap is enabled on the associated VS. I have tried with and without OneConnect.
The problem is that when I go to https://mycompany.com/proxy/fandango.com in a web browser, it sits there connecting for a while and then times out with an error message indicating the connection was reset.
Running WireShark on the external interface of the BigIP I can see that the BigIP is going out to fandango.com from an appropriate, SNATed external address and downloading data. On the client side I can see the SSL connection is established, waits for a few seconds, and then the BigIP sends a RST. It generally seems to take about 10 seconds to time out; I tried messing with TCP profiles to increase timeouts and this made it take longer, but with the same result.
The additional problem is that the fandango.com pool member is an IP, so if the actual website changes their IP it will fail. Is there any way to get this to work with DNS instead of IP?
The following DevCentral post was the closest I was able to find to my situation:
https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1179347/showtab/groupforums/Default.aspx
I have contacted F5 Support and the only help they can offer is to post the issue here. Any help would be greatly appreciated.
Thanks,
-Ben
hooleylistCirrostratus
Hi Ben,
One option would be to upgrade to 10.2.x, use the updated v10/11 ProxyPass iRule and modify it to use RESOLV::lookup to resolve the external domain name to an IP address.
https://devcentral.f5.com/wiki/iRules.proxypassv10.ashx
https://devcentral.f5.com/wiki/iRules.resolve__lookup.ashx
Or you could use a shell script called from cron to check if the IP for the external hostname has changed. If it had then use bigpipe to update the pool with the new IP address.
There's a related enhancement request to support name based load balancing using DNS so that TMM would do this for you. You could open a case with F5 Support to add your request to it. If you do, reference BZ353855.
Thanks, Aaron
bensimmons_9230Hi Aaron,
Thanks for the suggestion; I think this would solve the DNS/IP issue.
So that leaves the timeouts/resets which are currently making this solution unusable (I have not been able to actually proxy any websites because of this).
Do you have any idea as to what could be causing this or any potential fix?
Thanks!
-Ben- bensimmons_9230Does anyone have any ideas on this? Is any further troubleshooting needed? Does anyone have ProxyPass being used successfully for this purpose?
Thanks!
-Ben - hooleylistIf you take the ProxyPass iRule off and replace it with a simple URI rewrite do you see the timeout issue? If that does have the problem, then you can remove ProxyPass from your troubleshooting. If that resolves the issue, you could add the ProxyPass iRule back with debug enabled and check the logs output in /var/log/ltm for a failure.
Aaron