Forum Discussion

shopkeeper56_23's avatar
shopkeeper56_23
Icon for Cirrostratus rankCirrostratus
Apr 08, 2016

Transparent Proxy HTTPS Issues

Hi,

I am in the process of setting up a transparent proxy with LTM, which will be load balancing browsing traffic two different internet connections. There is a requirement that I direct traffic for certain sites to specific gateways, thus I need to simultaneously implement SSL inspection so that I may re-direct the HTTPS sites.

I have been following F5 guide for setting up Transparent Proxy for SSL inspection.. https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf

Non-SSL sites are working fine, but any SSL site fails. The client is presented with the F5 certificate, but the destination site is not displayed resulting in generic "Page cannot be displayed" error in browser.

Looking at the TCP-Dump from the Big IP, there seems to be some issues with the establishment of SSL connectivity between the Big IP and the client resulting in a lot of TCP Out of Orders and Re-transmits. I am not sure how to resolve this and could use any assistance. This behaviour is consistent on every client I try it on.

Below is the configuration for the VS, SSL profiles, iRules w/ a brief screen cap of TCP dump when attempting to hit HTTPS site from client.

Thanks

Virtual Server
ltm virtual Transparent_Proxy_TCP {
    destination 0.0.0.0:any
    ip-protocol tcp
    mask any
    pool Internet_Gateways
    profiles {
        Transparent_Proxy_ClientSSL {
            context clientside
        }
        Transparent_Proxy_ServerSSL {
            context serverside
        }
        http { }
        tcp { }
    }
    rules {
        SSL_Bypass
        ISP_SNAT
    }
    source 0.0.0.0/0
    source-address-translation {
        pool External
        type snat
    }
    translate-address disabled
    vlans {
        internal
    }
    vlans-enabled
    vs-index 9
}

SSL Bypass iRule
ltm rule SSL_Bypass {
    when RULE_INIT {
        set static::airgap_ssl_bypass_categories {
            /Common/Financial_Data_and_Services
            /Common/Health
            /Common/Facebook_Chat
    }
}
when CLIENT_ACCEPTED {
    HTTP::disable
    SSL::disable clientside
    SSL::disable serverside
    TCP::collect
}
when CLIENT_DATA {
    binary scan [TCP::payload] c type
    if { ( $type == 23 ) or ( $type == 20 ) } {
        SSL::enable clientside
        SSL::enable serverside
    } elseif { $type == 22 } {
        SSL::enable clientside
        SSL::enable serverside
        HTTP::enable
    }
    TCP::release
}
when CLIENTSSL_CLIENTHELLO {
    set sni_exists [SSL::extensions exists -type 0]
    if { $sni_exists } {
        binary scan [SSL::extensions -type 0] S1S1S1cS1a* ssl_ext_type ssl_ext_len ssl_ext_sn_list_len ssl_ext_sn_type ssl_ext_sn_len ssl_ext_sn
    }
}
when SERVERSSL_HANDSHAKE {
    if { not $sni_exists } {
        set ssl_bypass_mitm 0
        set subject [X509::subject [SSL::cert 0]]
        regexp {CN=(.*?),} $subject fullcn subcn
        if { [info exists subcn] } {
            set this_uri "http://$subcn/"
            set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
            set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
            if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
                set ssl_bypass_mitm 1
            } else {
                set ssl_bypass_mitm 0
            }
        } else {
            regexp {CN=(.*?)$} $subject fullcn subcn
            if { [info exists subcn] } {
                set this_uri "http://$subcn/"
                set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
                set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
                if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
                        set ssl_bypass_mitm 1
                } else {
                    set ssl_bypass_mitm 0
                }
            } else {
                set ssl_bypass_mitm 0
            }
        }
    }
}
when CLIENTSSL_SERVERHELLO_SEND {
    if { not [info exists ssl_bypass_mitm] && [info exists ssl_ext_sn] } {
        set this_uri "http://$ssl_ext_sn/"
        set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
        set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
        if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
            set ssl_bypass_mitm 1
        } else {
            set ssl_bypass_mitm 0
        }
    }
    if { [info exists ssl_bypass_mitm] } {
        if { $ssl_bypass_mitm } {
            SSL::forward_proxy policy bypass
            catch { HTTP::disable }
        } else {
            SSL::forward_proxy policy intercept
        }
    } else {
    }
}
when SERVER_CONNECTED {
    if { [info exists ssl_bypass_mitm] } {
        if { $ssl_bypass_mitm } {
            catch { HTTP::disable }
        }
    }
}
when HTTP_REQUEST {
    if { [info exists ssl_ext_sn] } {
        HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:${ssl_ext_sn}"
    } else {
        HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:0"
    }
    LB::detach
    SSL::disable serverside
    pool Internet_Gateways
}
}

Special SNAT iRule
ltm rule ISP_SNAT {
    when LB_SELECTED { 
    set nodeA "192.168.11.254"
    set snatA "192.168.179.200"
    set nodeB "192.168.43.1"
    set snatB "192.168.179.201"
   if {[IP::addr "[LB::server addr]" equals $nodeA]} { 
      snat $snatA
   }
   if {[IP::addr "[LB::server addr]" equals $nodeB]} { 
      snat $snatB
   }
}
}

   Client SSL Profile 
   ltm profile client-ssl help.please.test.co.uk {
        alert-timeout indefinite
        allow-non-ssl disabled
        app-service none
        cache-size 262144
        cache-timeout 3600
        cert AMSUKES-BIP1.crt
        cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name }
        cert-key-chain {
            help_please {
                cert help.please.crt
                chain help.please.crt
                key help.please.key
            }
        }
        cert-lifespan 30
        cert-lookup-by-ipaddr-port disabled
        chain help.please.crt
        ciphers DEFAULT
        defaults-from clientssl
        generic-alert enabled
        handshake-timeout 10
        inherit-certkeychain false
        key help.please.key
        max-aggregate-renegotiation-per-minute indefinite
        max-renegotiations-per-minute 5
        mod-ssl-methods disabled
        mode enabled
        options { dont-insert-empty-fragments }
        passphrase none
        peer-no-renegotiate-timeout 10
        proxy-ca-cert help.please.crt
        proxy-ca-key help.please.key
        proxy-ssl disabled
        proxy-ssl-passthrough disabled
        renegotiate-max-record-delay indefinite
        renegotiate-period indefinite
        renegotiate-size indefinite
        renegotiation enabled
        secure-renegotiation require
        server-name none
        session-mirroring disabled
        session-ticket disabled
        session-ticket-timeout 0
        sni-default false
        sni-require false
        ssl-forward-proxy enabled
        ssl-forward-proxy-bypass enabled
        ssl-sign-hash any
        strict-resume disabled
        unclean-shutdown enabled
    }


Server SSL Profile
ltm profile server-ssl Transparent_Proxy_ServerSSL {
        alert-timeout indefinite
        allow-expired-crl disabled
        app-service none
        authenticate once
        authenticate-depth 9
        authenticate-name none
        ca-file ca-bundle.crt
        cache-size 262144
        cache-timeout 3600
        cert none
        chain none
        ciphers DEFAULT
        crl-file none
        defaults-from serverssl
        expire-cert-response-control drop
        generic-alert enabled
        handshake-timeout 10
        key none
        mod-ssl-methods disabled
        mode enabled
        options { dont-insert-empty-fragments }
        peer-cert-mode require
        proxy-ssl disabled
        proxy-ssl-passthrough disabled
        renegotiate-period indefinite
        renegotiate-size indefinite
        renegotiation enabled
        retain-certificate true
        secure-renegotiation request
        server-name none
        session-mirroring disabled
        session-ticket disabled
        sni-default false
        sni-require false
        ssl-forward-proxy enabled
        ssl-forward-proxy-bypass enabled
        ssl-sign-hash any
        strict-resume disabled
        unclean-shutdown enabled
        untrusted-cert-response-control drop
    }

Client IP: 192.168.108.100 LTM IP: 192.168.179.200

application delivery
LTM
security

14 Replies

Sort By
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Apr 08, 2016

    Do you have SSL Forward Proxy license? It is not included in LTM license by default. What about URL filtering license? Try to remove iRules altogether and test to see if they are causing a problem?

     

    • shopkeeper56_23's avatar
      shopkeeper56_23
      Icon for Cirrostratus rankCirrostratus
      Apr 08, 2016
      I do have the URL Filtering license... I did not know SSL Forward Proxy required additional license... Looking now it doesn't look like I have it. I'm running this on a StrongBox at the moment (POC for client). I'll update my license and test again. Could you by chance provide the part number for the forward proxy license? Thanks EDIT: nvm found the part number F5-ADD-BIG-SSLFWD-VE
    • shopkeeper56_23's avatar
      shopkeeper56_23
      Icon for Cirrostratus rankCirrostratus
      Apr 08, 2016
      A bit annoying the Deployment Guide mentions URL filtering license but not the SSL Forward Proxy one
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Apr 08, 2016

    Do you have SSL Forward Proxy license? It is not included in LTM license by default. What about URL filtering license? Try to remove iRules altogether and test to see if they are causing a problem?

     

    • shopkeeper56_23's avatar
      shopkeeper56_23
      Icon for Cirrostratus rankCirrostratus
      Apr 08, 2016
      I do have the URL Filtering license... I did not know SSL Forward Proxy required additional license... Looking now it doesn't look like I have it. I'm running this on a StrongBox at the moment (POC for client). I'll update my license and test again. Could you by chance provide the part number for the forward proxy license? Thanks EDIT: nvm found the part number F5-ADD-BIG-SSLFWD-VE
    • shopkeeper56_23's avatar
      shopkeeper56_23
      Icon for Cirrostratus rankCirrostratus
      Apr 08, 2016
      A bit annoying the Deployment Guide mentions URL filtering license but not the SSL Forward Proxy one
  • shopkeeper56_23's avatar
    shopkeeper56_23
    Icon for Cirrostratus rankCirrostratus
    Apr 08, 2016

    Ok I have enabled the SSL Forward Proxy license by the behavior remained the same. I noticed that my appliance had not finished indexing the DB for URL filtering (seems to be taking forever, but Ive read it can take upwards of an hour). So I disabled the SSL bypass iRule and it seems that at least SSL Forward proxy is now working.

     

    Will report back once the DB Indexing is finished and re-enable the SSL Bypass iRule to confirm functionality.

     

     

  • shopkeeper56_23's avatar
    shopkeeper56_23
    Icon for Cirrostratus rankCirrostratus
    Apr 08, 2016

    Ok I've finished the DB Indexing and re-applied the above SSL Bypass iRule. Scenarios are as below...

     

    HTTP: Working fine

     

    HTTPS Bypass Sites (Financial): Bypassing and working fine

     

    Other HTTPS: Not working

     

    So there must be something iffy in the iRule which is causing the non-Bypass sites to fail.