Forum Discussion
NimbostratusTransparent proxy from within an iRule
We have our user traffic transiting an LTM on its way to the Internet. A 'standard' virtual server is configured to capture all traffic (0.0.0.0/0 --> 0.0.0.0/0) on TCP port 80. That VS has the "http" http-profile, so that we can see/manipulate HTTP connections. An iRule is attached to the virtual server that redirects all HTTP traffic to our captive portal:
when HTTP_REQUEST {
HTTP::redirect "https://connect.example.com"
}
That all works fine. Our requirements are changing slightly, such that we need to allow some URLs through the box. I can't create a second virtual server (for instance, an IP Forwarding VS), as the precendence rules only allow a single VS to handle the traffic.
I've also tried configuring a transparent proxy, but no matter what combination of knobs & buttons I try, no traffic is observed on the external interface. I just get a connection reset.
What's the best way to accomplish this?
Thanks!
Norman
RicoCirrus
What precedence rules are you referring to? There shouldn't be anything stopping you from making a virtual server with a different IP or port.
Norman_Elton_13Hmm ... if I had a Standard VS to intercept HTTP traffic (and send redirects), and another VC (IP forwarding) with an iRule that called “snat automap” to permit certain hosts ... they’d both have the same source & destination IPs and service port. How would traffic figure out which VC to use?
Regardless, I can test tomorrow.
It also occurs to me that I can do it all in an IP Forwarding VC. The iRule can use tcp::respond to send back an HTTP rewrite. The same iRule can call “snat automap” to allow certain traffic through.
Thanks for the tip, I’ll keep testing tomorrow.
Stanislas_Piro2Cumulonimbus
Hi,
No need to create another virtual server!
In your irule, add a filter on http host, and for specific hosts, use commands
snat automap forward