Forum Discussion
CirrostratusTransparent Proxy HTTPS Issues
Hi,
I am in the process of setting up a transparent proxy with LTM, which will be load balancing browsing traffic two different internet connections. There is a requirement that I direct traffic for certain sites to specific gateways, thus I need to simultaneously implement SSL inspection so that I may re-direct the HTTPS sites.
I have been following F5 guide for setting up Transparent Proxy for SSL inspection.. https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf
Non-SSL sites are working fine, but any SSL site fails. The client is presented with the F5 certificate, but the destination site is not displayed resulting in generic "Page cannot be displayed" error in browser.
Looking at the TCP-Dump from the Big IP, there seems to be some issues with the establishment of SSL connectivity between the Big IP and the client resulting in a lot of TCP Out of Orders and Re-transmits. I am not sure how to resolve this and could use any assistance. This behaviour is consistent on every client I try it on.
Below is the configuration for the VS, SSL profiles, iRules w/ a brief screen cap of TCP dump when attempting to hit HTTPS site from client.
Thanks
Virtual Server
ltm virtual Transparent_Proxy_TCP {
destination 0.0.0.0:any
ip-protocol tcp
mask any
pool Internet_Gateways
profiles {
Transparent_Proxy_ClientSSL {
context clientside
}
Transparent_Proxy_ServerSSL {
context serverside
}
http { }
tcp { }
}
rules {
SSL_Bypass
ISP_SNAT
}
source 0.0.0.0/0
source-address-translation {
pool External
type snat
}
translate-address disabled
vlans {
internal
}
vlans-enabled
vs-index 9
}
SSL Bypass iRule
ltm rule SSL_Bypass {
when RULE_INIT {
set static::airgap_ssl_bypass_categories {
/Common/Financial_Data_and_Services
/Common/Health
/Common/Facebook_Chat
}
}
when CLIENT_ACCEPTED {
HTTP::disable
SSL::disable clientside
SSL::disable serverside
TCP::collect
}
when CLIENT_DATA {
binary scan [TCP::payload] c type
if { ( $type == 23 ) or ( $type == 20 ) } {
SSL::enable clientside
SSL::enable serverside
} elseif { $type == 22 } {
SSL::enable clientside
SSL::enable serverside
HTTP::enable
}
TCP::release
}
when CLIENTSSL_CLIENTHELLO {
set sni_exists [SSL::extensions exists -type 0]
if { $sni_exists } {
binary scan [SSL::extensions -type 0] S1S1S1cS1a* ssl_ext_type ssl_ext_len ssl_ext_sn_list_len ssl_ext_sn_type ssl_ext_sn_len ssl_ext_sn
}
}
when SERVERSSL_HANDSHAKE {
if { not $sni_exists } {
set ssl_bypass_mitm 0
set subject [X509::subject [SSL::cert 0]]
regexp {CN=(.*?),} $subject fullcn subcn
if { [info exists subcn] } {
set this_uri "http://$subcn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
} else {
regexp {CN=(.*?)$} $subject fullcn subcn
if { [info exists subcn] } {
set this_uri "http://$subcn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
} else {
set ssl_bypass_mitm 0
}
}
}
}
when CLIENTSSL_SERVERHELLO_SEND {
if { not [info exists ssl_bypass_mitm] && [info exists ssl_ext_sn] } {
set this_uri "http://$ssl_ext_sn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
}
if { [info exists ssl_bypass_mitm] } {
if { $ssl_bypass_mitm } {
SSL::forward_proxy policy bypass
catch { HTTP::disable }
} else {
SSL::forward_proxy policy intercept
}
} else {
}
}
when SERVER_CONNECTED {
if { [info exists ssl_bypass_mitm] } {
if { $ssl_bypass_mitm } {
catch { HTTP::disable }
}
}
}
when HTTP_REQUEST {
if { [info exists ssl_ext_sn] } {
HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:${ssl_ext_sn}"
} else {
HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:0"
}
LB::detach
SSL::disable serverside
pool Internet_Gateways
}
}
Special SNAT iRule
ltm rule ISP_SNAT {
when LB_SELECTED {
set nodeA "192.168.11.254"
set snatA "192.168.179.200"
set nodeB "192.168.43.1"
set snatB "192.168.179.201"
if {[IP::addr "[LB::server addr]" equals $nodeA]} {
snat $snatA
}
if {[IP::addr "[LB::server addr]" equals $nodeB]} {
snat $snatB
}
}
}
Client SSL Profile
ltm profile client-ssl help.please.test.co.uk {
alert-timeout indefinite
allow-non-ssl disabled
app-service none
cache-size 262144
cache-timeout 3600
cert AMSUKES-BIP1.crt
cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name }
cert-key-chain {
help_please {
cert help.please.crt
chain help.please.crt
key help.please.key
}
}
cert-lifespan 30
cert-lookup-by-ipaddr-port disabled
chain help.please.crt
ciphers DEFAULT
defaults-from clientssl
generic-alert enabled
handshake-timeout 10
inherit-certkeychain false
key help.please.key
max-aggregate-renegotiation-per-minute indefinite
max-renegotiations-per-minute 5
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
passphrase none
peer-no-renegotiate-timeout 10
proxy-ca-cert help.please.crt
proxy-ca-key help.please.key
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-max-record-delay indefinite
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require
server-name none
session-mirroring disabled
session-ticket disabled
session-ticket-timeout 0
sni-default false
sni-require false
ssl-forward-proxy enabled
ssl-forward-proxy-bypass enabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
}
Server SSL Profile
ltm profile server-ssl Transparent_Proxy_ServerSSL {
alert-timeout indefinite
allow-expired-crl disabled
app-service none
authenticate once
authenticate-depth 9
authenticate-name none
ca-file ca-bundle.crt
cache-size 262144
cache-timeout 3600
cert none
chain none
ciphers DEFAULT
crl-file none
defaults-from serverssl
expire-cert-response-control drop
generic-alert enabled
handshake-timeout 10
key none
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
peer-cert-mode require
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
retain-certificate true
secure-renegotiation request
server-name none
session-mirroring disabled
session-ticket disabled
sni-default false
sni-require false
ssl-forward-proxy enabled
ssl-forward-proxy-bypass enabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
untrusted-cert-response-control drop
}
Client IP: 192.168.108.100 LTM IP: 192.168.179.200
14 Replies
Michael_KoyfmanCirrocumulus
Do you have SSL Forward Proxy license? It is not included in LTM license by default. What about URL filtering license? Try to remove iRules altogether and test to see if they are causing a problem?
shopkeeper56_23I do have the URL Filtering license... I did not know SSL Forward Proxy required additional license... Looking now it doesn't look like I have it. I'm running this on a StrongBox at the moment (POC for client). I'll update my license and test again. Could you by chance provide the part number for the forward proxy license? Thanks EDIT: nvm found the part number F5-ADD-BIG-SSLFWD-VE- shopkeeper56_23A bit annoying the Deployment Guide mentions URL filtering license but not the SSL Forward Proxy one
- shopkeeper56_23updated information
Michael_Koyfma1Cirrus
Do you have SSL Forward Proxy license? It is not included in LTM license by default. What about URL filtering license? Try to remove iRules altogether and test to see if they are causing a problem?
- shopkeeper56_23I do have the URL Filtering license... I did not know SSL Forward Proxy required additional license... Looking now it doesn't look like I have it. I'm running this on a StrongBox at the moment (POC for client). I'll update my license and test again. Could you by chance provide the part number for the forward proxy license? Thanks EDIT: nvm found the part number F5-ADD-BIG-SSLFWD-VE
- shopkeeper56_23A bit annoying the Deployment Guide mentions URL filtering license but not the SSL Forward Proxy one
- shopkeeper56_23updated information
- shopkeeper56_23
Ok I have enabled the SSL Forward Proxy license by the behavior remained the same. I noticed that my appliance had not finished indexing the DB for URL filtering (seems to be taking forever, but Ive read it can take upwards of an hour). So I disabled the SSL bypass iRule and it seems that at least SSL Forward proxy is now working.
Will report back once the DB Indexing is finished and re-enable the SSL Bypass iRule to confirm functionality.
- shopkeeper56_23
Ok I've finished the DB Indexing and re-applied the above SSL Bypass iRule. Scenarios are as below...
HTTP: Working fine
HTTPS Bypass Sites (Financial): Bypassing and working fine
Other HTTPS: Not working
So there must be something iffy in the iRule which is causing the non-Bypass sites to fail.
