Forum Discussion
Nimbostratusredirecting htp traffic
folks
i'm new to big ip so apologies if i'm asking something pretty basic
i have a pair of internal big ip ltm 1600s which pass traffic to an upstream proxy (in a dmz) which then applies policies and sends the requests to the internet
i now need my big ip 1600 to identify traffic to a particular set of urls, i.e. internalsite-1.co.uk, internalsite-2.co.uk, hrdept.internal and send these directly to the servers
the sites i need to redirect are internal so i don't want to pass them upstream
can someone point me in the direction of some configuration examples
i'll have a look at the f5 university in the meantime
thanks to anyone taking the time to reply
greatly appreciated
8 Replies
- Kevin_Stewart
Employee
The first question I'd ask is how you're BIG-IPs are configured. Is this an outbound forwarding VIP? FastL4? Standard? Is it encrypted traffic - or could it be? 
mulhollandm_648kevin
many thanks for your reply
unfortunately i don' have enough experience to answer your questions properly so i'll give a brief description of my setup
users will connect to the big ip using the proxy configuration over port 8080
the big ip will load balance internet traffic over port 8080 between a number of upstream proxies
the upstream proxies will send the traffic to the internet on http/https
my aim is to identify http/https traffic intended for internal servers and direct that directly to those servers
hope this clarifies things
thanks again for your help
- Kevin_StewartI'll assume then that this is NOT a standard HTTP-based virtual server configuration, which means that it'd be possible ONLY for unencrypted traffic and inspecting the TCP payload in an iRule. There's a new feature in BIG-IP 11.3 called "SSL Forward Proxy" that would allow you to decrypt and re-encrypt outbound forward proxy traffic, but I'm guessing that'd be more complex than what you need.
- mulhollandm_648kevin
thanks once more
some of the internal sites are https
the big ip has three interfaces, an internal, external and management but both the internal and external are on my internal network but different vlans
does this make a difference, if so can you recommend any deployment and configuration guides
many thanks - nitassusers will connect to the big ip using the proxy configuration over port 8080is proxy ip (and port) virtual server on bigip? if yes, can you post the virtual server and pool configuration here?
tmsh list ltm virtual (virtual server name)
tmsh list ltm pool (pool name) - mulhollandm_648nitass
please see attached config
many thanks for your reply
ltm virtual LTM-1600-VIP {
destination 10.28.253.3:webcache
ip-protocol tcp
mask 255.255.255.255
pool PROXY-POOL
profiles {
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
ltm pool PROXY-POOL {
members {
10.37.3.20:webcache {
address 10.37.3.20
session monitor-enabled
state up
}
10.37.3.21:webcache {
address 10.37.3.21
session monitor-enabled
state up
}
10.37.3.22:webcache {
address 10.37.3.22
session monitor-enabled
state up
}
10.37.3.23:webcache {
address 10.37.3.23
session monitor-enabled
state up
}
}
monitor TCP-8080
}
vlans-disabled 
kridsanaCirrocumulus
If I'm not mistaken. I think iRule can help this.
If { url is internalsite-1.co.uk OR internalsite-2.co.uk OR hrdept.internal }{
choose server x.x.x.x choose specific server
} else {
choose pool PROXY-POOL Loadbalance normally to proxy server
}
}
Is this you want?- nitassi understand request format which is sent to proxy (e.g. 10.28.253.3:8080) is different from the one to web server. so, if you want to send request to web server directly, you may have to modify the request format yourself. it is something like http forward proxy codeshare below.
HTTP Forward Proxy - v3.2
https://devcentral.f5.com/wiki/irules.HTTP-Forward-Proxy-v3-2.ashx
just my 2 cents.
