Forum Discussion

sergio_baza_alo's avatar
sergio_baza_alo
Icon for Altocumulus rankAltocumulus
Nov 19, 2017

Use F5 APM as Forward Proxy

Hello All,

I have one BIG-IP with APM license and I wan to use it as a forward proxy.

I have used this iApp https://devcentral.f5.com/codeshare/apm-explicit-proxy and now I have:

  • DNS Resolver
  • Tunnel for traffic
  • HTTP profile
  • Virtual Server (Proxy) listening on 8080

Although this is configured, when I point to this proxy with my browser it doesn’t seem to work.

I suppose that now I have to create two more separate virtual servers listening on ports 80 and 443 for handling http and https traffic. Am I right?

The question is once I have configured this two virtual servers how can I forward traffic to Internet?

If the VS haven’t got pool members, does it check the routing table? Or I have to create an iRule with something like this:


When HTTP::request {  Forward  }

When HTTP::response {  Forward  }

Also, I don’t want to inspect SSL traffic, I Would like to use the Proxy as a passthrough but only allow certain https sites, Do I need to inspect SSL traffic to filter by URLs?

Thanks in advantage

  • I finally managed to solve my problem, I’m going to explain how to just in case somebody needs it.

     

    First I used the iApp which:

     

    • creates dns resolver
    • creates tunnel with tcp-forward option
    • creates http profile for explicit-proxy
    • creates vs to be used as the proxy

    After that I created a new one vs listening on 0.0.0.0:443 and only enabled on the tunnel that was created by te iApp. This is a fast L4 forwarding proxy as I don’t want to inspect ssl traffic.

     

    All the SNAT settings was setted to Automap.

     

  • I finally managed to solve my problem, I’m going to explain how to just in case somebody needs it.

     

    First I used the iApp which:

     

    • creates dns resolver
    • creates tunnel with tcp-forward option
    • creates http profile for explicit-proxy
    • creates vs to be used as the proxy

    After that I created a new one vs listening on 0.0.0.0:443 and only enabled on the tunnel that was created by te iApp. This is a fast L4 forwarding proxy as I don’t want to inspect ssl traffic.

     

    All the SNAT settings was setted to Automap.