For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

larry_p_134874's avatar
larry_p_134874
Icon for Nimbostratus rankNimbostratus
Feb 27, 2014

proxypass to external web site

Using the ProxyPass iRule Version 10.9 on a F5 BIG-IP 10.2.4 Build 591.0 Hotfix HF2 and the following configuration, assuming the external web site is working properly, should the following work for https://10.0.0.10/anything_here_ignored to https://ex.ternal.com/login_portal.jsp?VAR1=VALUE1&VAR2=VALUE2? For internal use currently but 10.0.0.10 will be changed to an external IP address.

Many thanks!

virtual APP-test-f5-vs {
   pool EX.TERNAL.com-pool
   destination 10.0.0.10:https
   ip protocol tcp
   rules proxypass
   profiles {
      APP-test-f5-server {
         serverside
      }
      http {}
      tcp {}
   }
}

pool EX.TERNAL.com-pool {
   monitor all tcp
   members {
      1.2.3.4:https {}
      1.2.3.5:https {}
   }
}

profile serverssl APP-test-f5-server {
   defaults from serverssl
   key "APP_key.key"
   cert "APP_cert_1.crt"
   chain none
   ca file none
   ciphers "DEFAULT"
   options dont insert empty fragments
   modssl methods disable
   renegotiate enable
   renegotiate period indefinite
   renegotiate size indefinite
   secure renegotiation request
   unclean shutdown enable
   strict resume disable
   handshake timeout 60
   alert timeout 60
   cache size 262144
   cache timeout 3600
}

class ProxyPassAPP-test-f5-vs {
   {
      "/" { "/login_portal.jsp?VAR1=VALUE1&VAR2=VALUE2" }
      "NOTE!" { "name of this data group must be `ProxyPass' immediately followed by the name of the virtual server that will use this data group" }
   }
}
application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security

2 Replies

  • Scott_Hopkins's avatar
    Scott_Hopkins
    Icon for Nimbostratus rankNimbostratus
    Mar 07, 2014
    Everything after the '?' is not part of the URI path. IIRC you can't rewrite anything more than the path with the default ProxyPass.
  • larry_p_134874's avatar
    larry_p_134874
    Icon for Nimbostratus rankNimbostratus
    Mar 07, 2014
    Right, but can you ADD a query string (actually add a program name as the URI and a query string)? It appears so (intended or not); /var/log/ltm shows (as an example): Mar 7 14:15:44 local/tmm2 info tmm2[5430]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar: Found Rule, Client Host=10.0.0.251, Client Path=/aaffoobar, Server Host=10.0.0.251, Server Path=/test/bbb?var1 Mar 7 14:15:44 local/tmm2 info tmm2[5430]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar: Redirecting to http://10.0.0.251/aaffoobar/ Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : ProxyPasstest2: 10.0.4.184:57308 -> 10.0.0.251:80 Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar/: Found Rule, Client Host=10.0.0.251, Client Path=/aaffoobar, Server Host=10.0.0.251, Server Path=/test/bbb?var1 Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar/: Using default pool APP-pool Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar/: New Host=10.0.0.251, New Path=/test/bbb?var1/ Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar/: 200 response from APP-pool 10.0.0.63 80 Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar/: Checking Location=, $protocol= Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar/: Checking Content-Location=, $protocol= Mar 7 14:15:44 local/tmm info tmm[5428]: Rule proxypass : VS=ProxyPasstest2, Host=10.0.0.251, URI=/aaffoobar/: Checking URI=, $protocol=