Sideband connection through direct HTTP proxy

Question

Hey Folks,&nbsp;
&nbsp;I am trying to build upon the reCAPCHA iRule example for a production use case.  The main problem I see is that our management tier doesn't have direct access to the Internet.  All external connections must be permitted to go through a direct HTTP proxy server.&nbsp;
&nbsp;I'm not seeing that the sideband command supports proxy directives.  Am I missing something?   If not, does anyone have any suggestions on how we might be able to shoehorn in direct HTTP proxy support from a sideband connection?&nbsp;
&nbsp;Thanks in advance,&nbsp;
&nbsp;-Frank&nbsp;

joel_moses · Answer

You're right, sideband doesn't include anything about use of HTTP proxies, but that's okay, because they should still be usable with a proxy. Remember that sideband connections are essentially open sockets -- they can speak anything you want to send through them. All you have to do is talk to the proxy using standard fully qualified URL requests and you should be okay. 
&nbsp;  
&nbsp; Looking at the reCAPTCHA rule in particular, you'd need to make a few modifications: 
&nbsp; 1) instead of connecting to the $::google_ip you would need to connect to your proxy's IP address (line 91). 
&nbsp; 2) when forming the POST, you'll need to use the full URL so it can process it for proxy (e.g, "POST http://www.google.com/recaptcha/api/verify HTTP/1.1
" (line 77). 
&nbsp;  
&nbsp; Pretty much everything else would work fine, I think.

fervin · Answer

Thanks for pointing me in the right direction.  I think I'm close, but it's still not working.  Do you know of any ways to troubleshoot sideband connection issues? I can connect to the proxy using telnet from the CLI, so I think that rules out a routing problem. 
&nbsp;  
&nbsp; I am getting the following error: 
&nbsp;  
&nbsp; TCL error: /Common/reCapcha  - Command must start with connect.invalid connection handle (line 1) invoked from within "send -timeout 1000 -status send_status $conn $recaptcha_verify_request" invoked from within "if { [HTTP::path] contains "/apps/" || [HTTP::path] equals "/verify_recaptcha"} { if { [HTTP::path] equals "/verify_recaptcha" } { set recaptcha..."  
&nbsp;  
&nbsp; Here's my connection definition: 
&nbsp;  
&nbsp; set conn [connect -timeout 1000 -idle 30 192.168.xxx.xxx:8080] 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; -Frank &nbsp;

fervin · Answer

Okay, so now I think realize where I'm failing. 
&nbsp;  
&nbsp; The HTTP proxy is on a network accessible from the management tier.  These networks are accessible by the Host Management subsystem, but not the Traffic Management Microkernel (TMM). 
&nbsp;  
&nbsp; It looks like sideband connections need to be sourced from the TMM.  Is this the case?  Anyone know of a way to force a sideband connection to use the management port?  Thanks, 
&nbsp;  
&nbsp; -Frank &nbsp;

joel_moses · Answer

Frank: No, it looks like you'll need to route that coming out of TMM. The routes off the management interface aren't addressable by the sideband "connect" command, by design.

fervin · Answer

Thanks, Joel.  I really appreciate all your help. 
&nbsp;  
&nbsp; -Frank

Forum Discussion

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

Related Content

Simple Sideband - iRule sideband the easy way

Advanced iRules: Sideband Connections

iRules LX Sideband Connection

Sideband connection HTTP example

iRules LX Sideband Connection - Handling timeouts