Transparent Proxy HTTPS Issues
Hi,
I am in the process of setting up a transparent proxy with LTM, which will be load balancing browsing traffic two different internet connections. There is a requirement that I direct traffic for certain sites to specific gateways, thus I need to simultaneously implement SSL inspection so that I may re-direct the HTTPS sites.
I have been following F5 guide for setting up Transparent Proxy for SSL inspection.. https://www.f5.com/pdf/deployment-guides/ssl-intercept-dg.pdf
Non-SSL sites are working fine, but any SSL site fails. The client is presented with the F5 certificate, but the destination site is not displayed resulting in generic "Page cannot be displayed" error in browser.
Looking at the TCP-Dump from the Big IP, there seems to be some issues with the establishment of SSL connectivity between the Big IP and the client resulting in a lot of TCP Out of Orders and Re-transmits. I am not sure how to resolve this and could use any assistance. This behaviour is consistent on every client I try it on.
Below is the configuration for the VS, SSL profiles, iRules w/ a brief screen cap of TCP dump when attempting to hit HTTPS site from client.
Thanks
Virtual Server
ltm virtual Transparent_Proxy_TCP {
destination 0.0.0.0:any
ip-protocol tcp
mask any
pool Internet_Gateways
profiles {
Transparent_Proxy_ClientSSL {
context clientside
}
Transparent_Proxy_ServerSSL {
context serverside
}
http { }
tcp { }
}
rules {
SSL_Bypass
ISP_SNAT
}
source 0.0.0.0/0
source-address-translation {
pool External
type snat
}
translate-address disabled
vlans {
internal
}
vlans-enabled
vs-index 9
}
SSL Bypass iRule
ltm rule SSL_Bypass {
when RULE_INIT {
set static::airgap_ssl_bypass_categories {
/Common/Financial_Data_and_Services
/Common/Health
/Common/Facebook_Chat
}
}
when CLIENT_ACCEPTED {
HTTP::disable
SSL::disable clientside
SSL::disable serverside
TCP::collect
}
when CLIENT_DATA {
binary scan [TCP::payload] c type
if { ( $type == 23 ) or ( $type == 20 ) } {
SSL::enable clientside
SSL::enable serverside
} elseif { $type == 22 } {
SSL::enable clientside
SSL::enable serverside
HTTP::enable
}
TCP::release
}
when CLIENTSSL_CLIENTHELLO {
set sni_exists [SSL::extensions exists -type 0]
if { $sni_exists } {
binary scan [SSL::extensions -type 0] S1S1S1cS1a* ssl_ext_type ssl_ext_len ssl_ext_sn_list_len ssl_ext_sn_type ssl_ext_sn_len ssl_ext_sn
}
}
when SERVERSSL_HANDSHAKE {
if { not $sni_exists } {
set ssl_bypass_mitm 0
set subject [X509::subject [SSL::cert 0]]
regexp {CN=(.*?),} $subject fullcn subcn
if { [info exists subcn] } {
set this_uri "http://$subcn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
} else {
regexp {CN=(.*?)$} $subject fullcn subcn
if { [info exists subcn] } {
set this_uri "http://$subcn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
} else {
set ssl_bypass_mitm 0
}
}
}
}
when CLIENTSSL_SERVERHELLO_SEND {
if { not [info exists ssl_bypass_mitm] && [info exists ssl_ext_sn] } {
set this_uri "http://$ssl_ext_sn/"
set reply [getfield [CATEGORY::lookup $this_uri] " " 1]
set decision [lsearch -exact $static::airgap_ssl_bypass_categories $reply]
if {[lsearch -exact $static::airgap_ssl_bypass_categories $reply] >= 0}{
set ssl_bypass_mitm 1
} else {
set ssl_bypass_mitm 0
}
}
if { [info exists ssl_bypass_mitm] } {
if { $ssl_bypass_mitm } {
SSL::forward_proxy policy bypass
catch { HTTP::disable }
} else {
SSL::forward_proxy policy intercept
}
} else {
}
}
when SERVER_CONNECTED {
if { [info exists ssl_bypass_mitm] } {
if { $ssl_bypass_mitm } {
catch { HTTP::disable }
}
}
}
when HTTP_REQUEST {
if { [info exists ssl_ext_sn] } {
HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:${ssl_ext_sn}"
} else {
HTTP::header insert X-Proxy-HTTPS "[TCP::local_port]:0"
}
LB::detach
SSL::disable serverside
pool Internet_Gateways
}
}
Special SNAT iRule
ltm rule ISP_SNAT {
when LB_SELECTED {
set nodeA "192.168.11.254"
set snatA "192.168.179.200"
set nodeB "192.168.43.1"
set snatB "192.168.179.201"
if {[IP::addr "[LB::server addr]" equals $nodeA]} {
snat $snatA
}
if {[IP::addr "[LB::server addr]" equals $nodeB]} {
snat $snatB
}
}
}
Client SSL Profile
ltm profile client-ssl help.please.test.co.uk {
alert-timeout indefinite
allow-non-ssl disabled
app-service none
cache-size 262144
cache-timeout 3600
cert AMSUKES-BIP1.crt
cert-extension-includes { basic-constraints extended-key-usage subject-alternative-name }
cert-key-chain {
help_please {
cert help.please.crt
chain help.please.crt
key help.please.key
}
}
cert-lifespan 30
cert-lookup-by-ipaddr-port disabled
chain help.please.crt
ciphers DEFAULT
defaults-from clientssl
generic-alert enabled
handshake-timeout 10
inherit-certkeychain false
key help.please.key
max-aggregate-renegotiation-per-minute indefinite
max-renegotiations-per-minute 5
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
passphrase none
peer-no-renegotiate-timeout 10
proxy-ca-cert help.please.crt
proxy-ca-key help.please.key
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-max-record-delay indefinite
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require
server-name none
session-mirroring disabled
session-ticket disabled
session-ticket-timeout 0
sni-default false
sni-require false
ssl-forward-proxy enabled
ssl-forward-proxy-bypass enabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
}
Server SSL Profile
ltm profile server-ssl Transparent_Proxy_ServerSSL {
alert-timeout indefinite
allow-expired-crl disabled
app-service none
authenticate once
authenticate-depth 9
authenticate-name none
ca-file ca-bundle.crt
cache-size 262144
cache-timeout 3600
cert none
chain none
ciphers DEFAULT
crl-file none
defaults-from serverssl
expire-cert-response-control drop
generic-alert enabled
handshake-timeout 10
key none
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
peer-cert-mode require
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
retain-certificate true
secure-renegotiation request
server-name none
session-mirroring disabled
session-ticket disabled
sni-default false
sni-require false
ssl-forward-proxy enabled
ssl-forward-proxy-bypass enabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
untrusted-cert-response-control drop
}
Client IP: 192.168.108.100 LTM IP: 192.168.179.200