Hello. Maybe wrong area, but I'm trying to find out, is it possible to use F5 himself as web server, to serve text based file like wpad.dat or cache.pac for clients? How to do it?

Mart - It is possible to do this. Take a look at: http://devcentral.f5.com/wiki/default.aspx/iRules/LTMMaintenancePage.html ...for an example. This particular iRule serves content directly from the LTM (in this case, a maintenance page) and shows how/where to put the text and uuencoded graphics.

It is possible to do this. Take a look at: http://devcentral.f5.com/wiki/default.aspx/iRules/LTMMaintenancePage.html ...for an example. This particular iRule serves content directly from the LTM (in this case, a maintenance page) and shows how/where to put the text and uuencoded graphics. Hmm, but can I do it with just iRule, as this http in one line and non easy editable is too complicated, actually the wpad.dat file is very simple javascript code like this: function FindProxyForURL(url, host) { if(shExpMatch(host, "*[^0123456789.]*") == false) if( isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host, "172.17.0.0", "255.255.0.0") || isInNet(host, "172.18.0.0", "255.255.0.0") ) return "DIRECT"; else return "PROXY proxygateway.internal:8080; DIRECT"; ) I found one one similar example - http://devcentral.f5.com/Wiki/default.aspx/iRules/LTMMaintenancePageLite.html but didn't figure how how to access access it from F5 with url like this - http://wpad.internal/wpad.dat

You can "serve" a page from LTM using HTTP::respond 200 content $http_content: when HTTP_REQUEST { Check if request is for wpad.internal/wpad.dat if {[string tolower "[HTTP::host][HTTP::uri]"] eq "wpad.internal/wpad.dat"}{ HTTP::respond 200 content {\ function FindProxyForURL(url, host) {\ if(shExpMatch(host, "*[^0123456789.]*") == false) \ if( isInNet\(host, "127.0.0.0", "255.0.0.0") \ || isInNet(host, "172.17.0.0", "255.255.0.0") \ || isInNet(host, "172.18.0.0", "255.255.0.0") \ ) \ return "DIRECT"; \ else \ return "PROXY proxygateway.internal:8080; DIRECT"; } } } } Just escape the new lines in the payload with \. After you add the iRule, test it to make sure the content is as you expect and then run 'b load' to verify the LTM parser handles the meta-characters in the iRule correctly. Running 'b load' will reload the configuration so it shouldn't be done on a live box during production. Aaron Great news. Just to be sure - so I must do new virtual server with this iRule only, without pool or nodes, as F5 is my only pool and node and iRule catches all traffic sent to wpad.dat and serve this file? And I put this VIP address into DNS and F5 will serve it easily? But how van I do alias, as due historical reason I have few aliases, like cache1.pac, cache2.pac, which all right point to the wpad.dat file being symlinks in one Linux apache server, which serves right now this wpad.dat.

If you attach that rule to a VIP with no default pool, the rule will answer requests made to the VIP with a host header value of wpad.internal with a URI of wpad.dat. If a request is made with a different host header value or a different URI, the request will be dropped because the rule will do nothing and there is no default pool to handle the request. What type of aliases are you referring to? Do you want the VIP and rule to answer for more than just the /wpad.dat URI? If so, you can add more URI's using a switch statement: when HTTP_REQUEST { Check if requested Host header is wpad.internal if {[string tolower [HTTP::host]] eq "wpad.internal"}{ Check the requested URI switch -glob [HTTP::uri] { "/wpad.dat*" - "*cache1.pac" - "*cache2.pac" { HTTP::respond 200 content {\ function FindProxyForURL(url, host) {\ if(shExpMatch(host, "*[^0123456789.]*") == false) \ if( isInNet\(host, "127.0.0.0", "255.0.0.0") \ || isInNet(host, "172.17.0.0", "255.255.0.0") \ || isInNet(host, "172.18.0.0", "255.255.0.0") \ ) \ return "DIRECT"; \ else \ return "PROXY proxygateway.internal:8080; DIRECT";} } default { Take some default action? } } } } Or you could answer all requests to the VIP with the wpad.dat file content: when HTTP_REQUEST { Send the wpad.dat content HTTP::respond 200 content {\ function FindProxyForURL(url, host) {\ if(shExpMatch(host, "*[^0123456789.]*") == false) \ if( isInNet\(host, "127.0.0.0", "255.0.0.0") \ || isInNet(host, "172.17.0.0", "255.255.0.0") \ || isInNet(host, "172.18.0.0", "255.255.0.0") \ ) \ return "DIRECT"; \ else \ return "PROXY proxygateway.internal:8080; DIRECT";} } } Aaron

Serving wpad.dat with F5?

23 Replies

hoolio

Cirrostratus

Oct 24, 2008

This version would match the same host header values, but for a URI of /cache3.pac, it sends the proxygateway2.internal:8080 response:

 
   when HTTP_REQUEST {   
      
      log local0. "[IP::client_addr]:[TCP::client_port]: New request to [HTTP::host], [HTTP::uri]"   
       Check if requested Host header is wpad.internal   
      switch [string tolower [HTTP::host]] {   
      
         "cache.internal" -   
         "wpad.internal" {   
      
            log local0. "[IP::client_addr]:[TCP::client_port]: Request matched host check"   
      
             Host check matched.  Now check the requested URI   
            switch -glob [HTTP::uri] {   
      
               "/wpad.dat*" -   
               "/cache1.pac" {   
                  log local0. "[IP::client_addr]:[TCP::client_port]: Request matched URI check for /wpad.dat, /cache1.pac"   
                  HTTP::respond 200 content {   
                     function FindProxyForURL(url, host) {   
                     if(shExpMatch(host, "*[^0123456789.]*") == false)   
                     if( isInNet\(host, "127.0.0.0", "255.0.0.0")    
                     || isInNet(host, "172.17.0.0", "255.255.0.0")   
                     || isInNet(host, "172.18.0.0", "255.255.0.0")   
                     )    
                     return "DIRECT"; \   
                     else    
                     return "PROXY proxygateway.internal:8080; DIRECT";}   
                  } 
               } 
               "/cache3.pac" {   
                  log local0. "[IP::client_addr]:[TCP::client_port]: Request matched URI check for /cache3.pac"   
                  HTTP::respond 200 content {   
                     function FindProxyForURL(url, host) {   
                     if(shExpMatch(host, "*[^0123456789.]*") == false)   
                     if( isInNet\(host, "127.0.0.0", "255.0.0.0")    
                     || isInNet(host, "172.17.0.0", "255.255.0.0")   
                     || isInNet(host, "172.18.0.0", "255.255.0.0")   
                     )    
                     return "DIRECT"; \   
                     else    
                     return "PROXY proxygateway2.internal:8080; DIRECT";}   
                  } 
               } 
               default {   
                   Take some default action if the requested host matched, but the URI didn't?   
                  HTTP::respond 400 content "Invalid URI"   
               }   
            }   
         }   
         default {   
              Take some default action if the requested host didn't matched?   
             HTTP::respond 400 content "Invalid host"   
         }   
      }   
   }

Aaron

mart_58302
Nimbostratus
Oct 28, 2008

This version would match the same host header values, but for a URI of /cache3.pac, it sends the proxygateway2.internal:8080 response:

Yes, it does, thank You Aaron, You are super!

J-H_Johansen

Altostratus

Sep 19, 2017

9 years later...

I'm testing the LTM to server wpad/pac with irules and came up with this little script based on the response in this thread.

when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "wpadtest.local" -
        "wpad.local" {
            set exp "function FindProxyForURL(url, host) {"
            append exp "\n" "if(isPlainHostName(host)) return \"DIRECT\";"
            append exp "\n" "if(shExpMatch(host, \"*\[^0123456789.\]*\") == false) return \"DIRECT\";"
            append exp "\n" "if(isInNet(host, \"127.0.0.0\", \"255.0.0.0\")) return \"DIRECT\";"
            append exp "\n" "if(isInNet(host, \"10.0.0.0\", \"255.0.0.0\")) return \"DIRECT\";"
            append exp "\n" "if(isInNet(host, \"172.16.0.0\", \"255.240.0.0\")) return \"DIRECT\";"
            append exp "\n" "if(isInNet(host, \"192.168.0.0\", \"255.255.0.0\")) return \"DIRECT\";"
            foreach mm [class names dg_wpad_shExpMatch] {
                append exp "" "if(shExpMatch(host, \"$mm\")) return \"DIRECT\";"
            }
             Last line
            append exp "\n" "return \"PROXY proxy.local:80\";\n}"
            HTTP::respond 200 content $exp "Content-Type" "application/x-ns-proxy-autoconfig"
        }
        default {
            HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
        }
    }
}

The data group list dg_wpad_shExpMatch contains all the exceptions where the client must bypass the proxy.

In a production environment this will be used by at least 1000-2000 users daily. Is there any way I can cache the output and set a 600 seconds TTL on the contents? Is this a good way of doing it or should I find other ways of serving this script?

Forum Discussion

Serving wpad.dat with F5?

23 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Free Passes to AppWorld 2025 – First Come, First Served!

iRule to serve security.txt file - RFC 9116

Serving or browsing iFiles

Securing Model Serving in Red Hat OpenShift AI (on ROSA) with F5 Distributed Cloud API Security

Self Serve Security

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS