Forum Discussion

CarloMun's avatar
CarloMun
Icon for Nimbostratus rankNimbostratus
Sep 11, 2020

Redirect Proxy CONNECT Request at LB level based on URL

Hi,

 

I would like to ask for experts advice on the following design issue.

 

I currently use a Standard Virtual Server for load balancing requests to a pool of Proxy Squids.

HTTP CONNECTs are sent to the VIP of the Virtual Servers; per SNAT translated and sent to the SQUID Proxys.

The config of the Virtual Server is pretty much standard; there's no "HTTP Proxy Connect Profile" set; client requests are SNATted and sent to the Squids proxyies (so that the CONNECT requests are de facto landing on the SQUIDs via the LB).

 

A "http_proxy" http client profile is also set at Virtual Server level (proxy mode: reverse).

 

I would like to know if it is technically possible to intercept a CONNECT requests to a given URL directly at the LB and have it immerdiately redirected to the destination rather then sent to the pool of proxy servers.

 

In other words, the LB should intercept CONNECT requests towards specific URLs and have the request sent directly to the target URL without send it first to the SQUID proxys within the LB Pool.

 

 

One additional info: the URL that I would like to "control" under this LB target config should be accessed via SSL / TLS.

 

Is this scenario technically feasible with F5 BIG IP ?

 

If so, please describe how could this be implemented (which modules should be licensed? would the LTM module with iRules alone be capable to achieve this ? and how would the Virtual Server config need to be adapted in this case, since the CONNECT request from the client would need to be intercepted directly on the LB front end, so modifications to the Virtual Server configuration would be needed.)

 

I researched a little bit on this and found this F5 technical document covering more of less the same setup.

 

https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-local-traffic-manager-implementations-14-0-0/configuring-an-explicit-http-proxy-chain.html

 

However it is not 100% clear to me if the "HTTP Proxy Connect profile" also requires APM Configuration to work. Moreover, how would I need to configure the APM to achieve this technical requirement ?

 

An end to end example / technical note covering this scenario (or a very close scenario) would be great.

 

Thank you in advance for your feedback and your help.

 

 

 

No RepliesBe the first to reply