For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

HTTP_PROXY_REQUEST

Problem this snippet solves:

Triggered when a virtual server has proxy-mode explicit set and one of the following two scenarios are true:

  • the request has a full uri of the form http://hostname:port/path (much like HTTP_REQUEST, but with access to the original uri)
  • the request is a CONNECT request (e.g. CONNECT hostname:port HTTP/1.1)

This event allows manipulation of either the request URI, or control of whether the BIG-IP performs the proxy action.

Related Information

Available Commands:

  • HTTP::uri - Returns or sets the URI part of the HTTP request.
  • HTTP::proxy - Controls the application of HTTP proxy when using an Explicit HTTP profile
  • pool - Causes the system to load balance traffic to the specified pool or pool member regardless of monitor status.

Sample Code:

Allow HTTP Explicit Proxy (11.5.1+) to handle shortname resolution - Support shortname hosts with an LTM 11.5.1+ explicit proxy profile.

Introduced: BIGIP-11.5.0

Code :

# Example 1: Simple Proxy Chaining

when HTTP_PROXY_REQUEST {
    if { (not [HTTP::method] == "CONNECT") && [URI::host [HTTP::uri]] ends_with ".internal.domain.com" } {
          HTTP::proxy disable
          pool internal_proxy_3128
    } else {
          HTTP::proxy enable
    }
}

# Example 2: Advanced Proxy Chaining & URI Rewriting

when HTTP_PROXY_REQUEST {
    log local0. "[HTTP::method] [HTTP::uri]"
    switch [string tolower [URI::host [HTTP::uri]]] {
        "www.google.com" {
             # send request to default pool (aka proxy-chaining)
             HTTP::proxy disable
         }
         "www.abc.com" {
             # change request to a different host - remains a proxy request
             HTTP::uri http://www.google.com/
         }
         "www.def.com" {
             # change request to a normal (not proxy) request - goes to the default pool
             HTTP::uri /def.html
          } 
     }
}

when HTTP_REQUEST {
    log local0. "[HTTP::method] [HTTP::uri]"
}

# Example 3: Proxy Chaining via Categorization (Requires either an SWG or URL Filtering Subscription)

when RULE_INIT {
    log local0. "Proxy Chain iRule"
    set static::Proxy_Chain_categories {
       /Common/Restaurants_and_Dining
    }
    set static::Proxy_Chain_debug 1
}

when HTTP_PROXY_REQUEST {
    set proxy_chain 0
    if { $static::Proxy_Chain_debug } { log local0. "URI: [HTTP::uri]" }

    # Check for a category match
    set reply [getfield [CATEGORY::lookup [HTTP::uri]] " " 1]
    if {[lsearch -exact $static::Proxy_Chain_categories $reply] >= 0}{
        if { $static::Proxy_Chain_debug } { log local0. "HIT: The category $reply should be bypassed for [HTTP::uri]" }
        set proxy_chain 1
    }

    # Check for a URI::host for HTTP connections
    if {[URI::host [HTTP::uri]] == "www.cariboucoffee.com"} {
        set proxy_chain 1
    }

    # Perform the prescibed action
    if { $proxy_chain } {
        if { $static::Proxy_Chain_debug } { log local0. "Proxy Chain: [HTTP::method] URI:[HTTP::uri]" }
        HTTP::proxy disable
        snat 10.10.1.10
        pool squid  
    }
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules

6 Comments

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 29, 2015
    not [HTTP::method] == "CONNECT" needs to be: not ([HTTP::method] eq "CONNECT")
  • Sec-Enabled_658's avatar
    Sec-Enabled_658
    Icon for Cirrostratus rankCirrostratus
    Dec 14, 2015
    I have a scenario where a customer wants to do proxy -chaining on one of thier vips (explicit proxy), but still wants to use URL filtering through SWG as well (SWG on 11.6 , no ssl intercept) I noticed that the first example Irule above allowed for proxy chaining, but seemed to obfuscate the URI and during the URL category lookup for SWG , it would always show "uncatergorized" in the log and through the SWG interface . I went back and modifed the proxy chain Irule so that HTTPS traffic will use the "HTTP::proxy disable" command, (look for CONNECT as method) but make HTTP traffic get the URI manipulated manually in the HTTP_REQUEST event (happens after the HTTP_PROXY event). This seems to fix the SWG category lookup error I was seeing but wanted to see if anyone had any recommendations. Here is an example from the APM log: perflow.category_lookup.result.url, value: http://www.simplesite.comhttp://www.simplesite.com/android-chrome-192x192.png
  • 3junior_134880's avatar
    3junior_134880
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2016
    Anyone know how to setup so SSL traffic is terminated on F5 and then a new Explicit Proxy is created to Squid
  • yokamoto's avatar
    yokamoto
    Icon for Employee rankEmployee
    Jul 06, 2016
    I want to insert header with Explicit HTTP Proxy. Can I use both "HTTP::header insert " and "HTTP::proxy enable" in the event of "HTTP_PROXY_REQUEST"? Like this: if { [HTTP::host] contains "www.example.com" } { HTTP::header insert "X-Original-Header: XYZ" HTTP::proxy enable } ...
  • yokamoto's avatar
    yokamoto
    Icon for Employee rankEmployee
    Aug 12, 2016

    Reply by myself.

     

    It works. Like this iRule.

     

    if { [HTTP::host] contains " } { HTTP::header insert "X-Forwarded-For" [IP::client_addr] HTTP::proxy enable }

     

  • kohli9harjeev's avatar
    kohli9harjeev
    Icon for Nimbostratus rankNimbostratus
    Jan 08, 2017

    Will this work for site like https://esrc3-core.emc.com which uses CONNECT method . I tried to use this irule and created a pool with the site public ip as member but no luck. Can someone please guide

     

    Regards Harjeev