For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

HTTP Explicit Proxy - V11.5+

Problem this snippet solves:

This iApp configures an Explicit Proxy using the new "Explicit" Proxy Mode that was introduced into the HTTP Profile in BIG-IP 11.5.

You only need LTM or APM provisioned.

It creates all configuration components required including:

  • DNS Resolvers
  • TCP Tunnel
  • HTTP Profile (Explicit)
  • Default Connect Handling set to Allow
  • SNAT Pools (Optional)
  • SNAT Default is Automap

If you require the Explicit Proxy to listen on more than 1 port e.g 3128 and 8080, simply just create another Application Service.

Contributed by: Brett Smith

How to use this snippet:


Published Mar 11, 2015
Version 1.0
explicit
forward proxy
iapp
iApps
LTM
security

14 Comments

  • Jos_Baanders_17's avatar
    Jos_Baanders_17
    Icon for Nimbostratus rankNimbostratus
    Apr 20, 2016
    Thanks for sharing this, how best could we filter URL's, have a whitelist of permitted sites and block all others?
  • Eric_Marquez_25's avatar
    Eric_Marquez_25
    Icon for Nimbostratus rankNimbostratus
    Apr 27, 2016
    Brett, does this support proxy auth. I'm doing some testing and I would like to use my Virtual F5 as a forwarding proxy with Auth. The auth can be a single username/pass. is it possible to get this added to it?
  • xunil321_122934's avatar
    xunil321_122934
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2016

    Eric, we are also interested in implementing some sort of user authentication.

     

    Did you had success with your Auth?

     

  • Smithy's avatar
    Smithy
    Icon for Cirrostratus rankCirrostratus
    Nov 16, 2016

    Hi Eric,

     

    It supports Auth on the Client side. It doesn't support Proxy Chaining - this feature is due to release in BIG-IP 13.0

     

  • willerman's avatar
    willerman
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2017

    Great iApp!! Works like a charm for HTTP and HTTPS :) Can this somehow be adapted to FTP(S), SFTP and SOCKS?

     

    Cheers

     

  • dihris_116090's avatar
    dihris_116090
    Icon for Nimbostratus rankNimbostratus
    May 09, 2017

    Great work! I managed to deploy successfully explicit proxy for HTTP/HTTPS calls.

     

    Brett, is there a way to control server side encryption separate from the client side without using SSL Forward Proxy features? The problem I'm trying to solve is that I have dev machines supporting clear text only than need to reach resources on the internet that support tls1.2 only. dev machine >> (clear text) >> vIP (LTM Explicit Proxy) >> (encrypted - TLS1.2) Internet Resources

     

    I've tried different ways of using server/client ssl profiles without success. Before going with "tunnel" vIP and SSL Forward Proxy I wanted to see if there is any other way around as from what I read this solution would require additional license.

     

  • Tosin_Omojola's avatar
    Tosin_Omojola
    Icon for Altostratus rankAltostratus
    Jun 13, 2017

    This was working before but now, it just stopped working. The proxy no longer responds to requests