Forum Discussion
Remco
Nov 03, 2011Nimbostratus
Redirecting http request to external url via proxy
Hi,
we are using F5 load balancers for our Internet environment. There is now a requirement during customer login to download a trojan detection script at an external company. But for the client point of view this script should be hosted from our own domain otherwise personal firewalls will block this script.
The plan is to create a pool an add this external website as a poolmember and have the F5 based on a specific URI to rewrite the URL to the external website and using SNAT to get the external script.
The problem is we are now doing a POC in our DTA environment but here the F5 does not have a direct Internet connection. The only option is to go via our browser proxies.
So I have created a pool wiht the proxy as a member and are using TCP 8080, redirecting normal HTTP traffic via the proxy is working, but the website hosting the external script is running on HTTPS.
The problem is that the proxy for HTTPS traffic is expecting a HTTP CONNECT request instead of a GET which is standard used for HTTP.
Is there anyway to change the HTTP method on the F5 from GET to CONNECT?
I know you can read the method via HTTP::method but I have not found an option to actually change the method to CONNECT.
Regards,
Remco
- HamishCirrocumulusHmm... You're wanting the LTM to be an HTTP client to a proxy...
- RemcoNimbostratusHi Hamish,
- The proxies have been setup in transparent mode for SSL traffic, so they should not be involved in the SSL process. I think my biggest problem is getting the F5 to use a HTTP CONNECT method instead of the standard GET.
- nitassEmployeenot sure if i understand correctly. this is my testing.
[root@iris:Active] config b virtual bar list virtual bar { snat automap pool squid destination 172.28.17.33:https ip protocol tcp rules myrule } [root@iris:Active] config b pool squid list pool squid { members 192.168.12.105:squid {} } [root@iris:Active] config b rule myrule list rule myrule { when SERVER_CONNECTED { set bypass 0 TCP::respond "CONNECT www.google.com:443 HTTP/1.0\r\n\r\n" TCP::collect } when SERVER_DATA { if { $bypass eq 1 } { TCP::release return } if { [TCP::payload] starts_with "HTTP/1.0 200" } { TCP::payload replace 0 [TCP::payload length] "" TCP::release set bypass 1 } else { TCP::close } } } [root@iris:Active] config curl -Ik https://172.28.17.33/ HTTP/1.1 200 OK Date: Fri, 04 Nov 2011 09:18:10 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Transfer-Encoding: chunked
- nitassEmployeesorry i forgot to put the reference.
- "TCP::respond" to send the CONNECT command. Very nice. Thanks for that one!!
- RemcoNimbostratus
sorry site was not responding, my message was posted multiple times
- RemcoNimbostratus
sorry site was not responding, my message was posted multiple times
- RemcoNimbostratusI have managed to indeed get the CONNECT message towards the proxy and getting the 200 OK reply indicating the proxy is in SSL transparent mode.
- nitassEmployeenot sure if it is what you are looking for. anyway, hope it is helpful.
[root@ve1023:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.65.152:https ip protocol tcp rules myrule profiles { clientssl { clientside } http {} serverssl { serverside } tcp {} } } [root@ve1023:Active] config b pool foo list pool foo { members 200.200.200.101:http {} } [root@ve1023:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { SSL::disable serverside } when HTTP_REQUEST { if {[HTTP::uri] equals "/test"} { HTTP::uri "/" SSL::enable serverside virtual bar2 } } } [root@ve1023:Active] config b virtual bar2 list virtual bar2 { snat automap pool squid destination 1.1.1.1:https ip protocol tcp rules myrule2 } [root@ve1023:Active] config b pool squid list pool squid { members 192.168.12.105:squid {} } [root@ve1023:Active] config b rule myrule2 list rule myrule2 { when SERVER_CONNECTED { set bypass 0 TCP::respond "CONNECT www.google.com:443 HTTP/1.0\r\n\r\n" TCP::collect } when SERVER_DATA { if { $bypass eq 1 } { TCP::release return } if { [TCP::payload] starts_with "HTTP/1.0 200" } { TCP::payload replace 0 [TCP::payload length] "" TCP::release set bypass 1 } else { TCP::close } } }
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects