Forum Discussion

akvzau's avatar
akvzau
Icon for Nimbostratus rankNimbostratus
Oct 30, 2023

SSLO http proxy base on category

Currently, we have a requirement to integrate SSLO for user proxy traffic,

  • Current proxy policy is authenticated and filters based on user group.
  • Certain categories are required to bypass SSL interception but still required to be inspected by proxy policy.

What I can understand is that configuring an HTTP proxy service requires all the traffic to be decrypted otherwise traffic will be bypassed from the service chain since it requires the use HTTP header signal across an HTTP proxy device.

Is there any way to achieve this? or simply if the category needs to bypass SSL interception then it cannot be proxied.

 

 

 

Appreciate your thoughts and feedback

  • akvzau Sadly I'm not familiar with this process but it should be possible to have an HTTP proxy without performing SSL termination because we currently use one with just the LTM without SSLO and it works for both HTTP and HTTPS traffic. Essentially what happens in this case is you have an HTTP tunnel between yourself and the LTM proxy which you then tunnel HTTPS traffic over and the LTM hands off the SSL negotiation directly to the destination. The following might be of some assistance.

    https://community.f5.com/t5/technical-forum/performing-ssl-bypass-for-forward-proxy-traffic-based-using-an/td-p/54004

    • akvzau's avatar
      akvzau
      Icon for Nimbostratus rankNimbostratus

      Greatly appreciate your response.  Seems the problem here is if traffic not decrypted then traffic will not be forwarded to service chains.

      • When you have no decryption you need to use layer 2 or layer 3 service and then you can send not decrypted traffic as for http service the SSLO adds a header to track the flow and it can't if it is not decrypting the traffic..

         

        See:

        3.3. Creating an Inline HTTP Service (f5.com)

        This is the most important distinction between HTTP (proxy) and L3 devices. An L3 device will simply route traffic across its interfaces without manipulating the packet headers. A proxy device, by definition, alters the packets headers. SSL Orchestrator uses the ephemeral packet tuple information to track packets across inline L2 and L3 devices. But as an HTTP proxy device manipulates this information, SSL Orchestrator uses an HTTP header signal across an HTTP proxy device. This signaling mechanism limits an inline HTTP proxy device to unencrypted HTTP traffic.