Forum Discussion
fervin
Nimbostratus
NimbostratusSideband connection through direct HTTP proxy
Hey Folks,
I am trying to build upon the reCAPCHA iRule example for a production use case. The main problem I see is that our management tier doesn't have direct access to the Internet. All external connections must be permitted to go through a direct HTTP proxy server.
I'm not seeing that the sideband command supports proxy directives. Am I missing something? If not, does anyone have any suggestions on how we might be able to shoehorn in direct HTTP proxy support from a sideband connection?
Thanks in advance,
-Frank
Joel_MosesYou're right, sideband doesn't include anything about use of HTTP proxies, but that's okay, because they should still be usable with a proxy. Remember that sideband connections are essentially open sockets -- they can speak anything you want to send through them. All you have to do is talk to the proxy using standard fully qualified URL requests and you should be okay.
Looking at the reCAPTCHA rule in particular, you'd need to make a few modifications:
1) instead of connecting to the $::google_ip you would need to connect to your proxy's IP address (line 91).
2) when forming the POST, you'll need to use the full URL so it can process it for proxy (e.g, "POST http://www.google.com/recaptcha/api/verify HTTP/1.1\r\n" (line 77).
Pretty much everything else would work fine, I think.
fervinThanks for pointing me in the right direction. I think I'm close, but it's still not working. Do you know of any ways to troubleshoot sideband connection issues? I can connect to the proxy using telnet from the CLI, so I think that rules out a routing problem.
I am getting the following error:
TCL error: /Common/reCapcha - Command must start with connect.invalid connection handle (line 1) invoked from within "send -timeout 1000 -status send_status $conn $recaptcha_verify_request" invoked from within "if { [HTTP::path] contains "/apps/" || [HTTP::path] equals "/verify_recaptcha"} { if { [HTTP::path] equals "/verify_recaptcha" } { set recaptcha..."
Here's my connection definition:
set conn [connect -timeout 1000 -idle 30 192.168.xxx.xxx:8080]
Thanks,
-Frank- fervinOkay, so now I think realize where I'm failing.
The HTTP proxy is on a network accessible from the management tier. These networks are accessible by the Host Management subsystem, but not the Traffic Management Microkernel (TMM).
It looks like sideband connections need to be sourced from the TMM. Is this the case? Anyone know of a way to force a sideband connection to use the management port? Thanks,
-Frank - Joel_MosesFrank: No, it looks like you'll need to route that coming out of TMM. The routes off the management interface aren't addressable by the sideband "connect" command, by design.
- fervinThanks, Joel. I really appreciate all your help.
-Frank - The_BhattmanIf this a hardware bigip you could attach to another segment that had connections the HTTP Proxy.
Bhattman
