Use F5 LTM as HTTP Proxy

Problem this snippet solves:

LTM product can be used as a HTTP Proxy for servers and PC.

This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.

How to use this snippet:

All these commands must be run in bash shell.

Create HTTP PROXY VIRTUAL SERVER

Configure variables used in next commands

Variable HTTPBaseName is used to create :

  • Resolver object : RESOLVER_${HTTPBaseName}
  • HTTP profile : http_${HTTPBaseName}
  • virtual server : VS_${HTTPBaseName}

HTTPBaseName="HTTP_FORWARD_PROXY"
VS_IP="192.168.2.80"
VS_PORT="8080"

create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)

tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }

create HTTP profile type explicit, using DNS resolver.

The parameter default-connect-handling allow enables HTTPS connections without SSL inspection

tmsh create ltm profile http http_${HTTPBaseName} {  defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }

create HTTP proxy Virtual server

tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}

ENABLE SSL FORWARD PROXY

This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.

Configure variables used in next commands

Variable SSLBaseName is used to create :

  • certificate / key pair : ${SSLBaseName}
  • Client SSL profile : clientssl_${SSLBaseName}
  • Server SSL profile : serverssl_${SSLBaseName}
  • virtual server : VS_${SSLBaseName}

SSLBaseName="SSL_FORWARD_PROXY"
dirname="/var/tmp"
CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"

Create self-signed certificate for CA purpose (not available in WebUI)

Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.

openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094
openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"

Import certificates in TMOS

tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; 
tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;

After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA

Create SSL profiles for SSL FORWARD PROXY

tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled }
tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }

create SSL FORWARD PROXY Virtual server

tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with  { http-tunnel } vlans-enabled }

Change HTTP EXPLICIT PROXY Default Connect Handling to Deny

tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }

Note : These commands were tested in both 12.1 and 13.1 versions.

Code :

No Code
Updated Jun 06, 2023
Version 2.0
application delivery
bash
explicit forward proxy
LTM
openssl
TMOS
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 07, 2018

    @James : Can you please give the part number of this license?

     

    I don't find this license in price list?

     

  • James_Lagermann's avatar
    James_Lagermann
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2018

    @Stanislas, Send me an email at j.lagermann@ so we can chat offline. The product team is making some changes to the Forward Proxy license. I'll update this once those changes are finalized.

     

  • F-X_Prouvost_11's avatar
    F-X_Prouvost_11
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2018

    Hello James, Could you please define what is exactly contained in the "SSL, Forward Proxy" Module License ? Is the SWG License contains also the SSL Forward Proxy ? Or if we want to run full Forward Proxy feature we have to buy both ? Is the SSL Forw Proxy is included in a Best Bundle ? (Don't think but I prefer have confirmation). Thanks, FX

     

  • James_Lagermann's avatar
    James_Lagermann
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2018

    @F-X Prouvost, the SSL Forward Proxy license enables the BIG-IP to dynamically generate SSL Certificates to mimic the site the client is attempting to reach. This allows the BIG-IP to decrypt the traffic for inspection. The SSL Forward Proxy license is not included with any of the Good, Better, Best bundles but it is included with SWG and SSLO.

     

    The Standalone SSL Forward Proxy license is being discontinued for all but the Viprion models. For all other models, you have to purchase SSLO or SWG, which include the license.

     

  • RossF5's avatar
    RossF5
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2019

    Thankyou Stanislas - a superb solution for something I had been trying to achieve for a while! Works like a charm :)

     

  • Nicol4s's avatar
    Nicol4s
    Icon for Nimbostratus rankNimbostratus
    May 08, 2019

    I've followed the guide in order to have a simple Forward Proxy WITHOUT SSL inspection.

     

    I'm using BIG-IP OS version 13.1.1.4

     

    However I get the following error : 503 Service unavailable

     

    According to some users on DevCentral, I need the module "SSL, Forward Proxy" to be activated.

     

    This configuration works great on my VE Lab license because it includes the SSL, Forward Proxy module !

     

    Sadly , I don't think that Stanislas Piron is right when he says that this very module is NOT required for a basic Proxy Forwarding VIP...

     

    Any help would be much appreciated.

     

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2019

    if ssl, forward proxy is listed in optional module , how to activate it ?

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 20, 2019

     if ssl, forward proxy is listed in optional module and you require it, contact your local F5 sales team.

     

    If you don't want to enable SSL decrypting, you can miss the section ENABLE SSL FORWARD PROXY

     

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2019

    @Stanislas Piron

    No I don't want to decrypt SSL

    But is there any further requirements for F5 with partitions?

    What I'm trying to say is that I implemented the above configuration but getting connection error.

    In my environment I'm trying to forward this kind of traffic to another transparent proxy.

    So I configured the above configuration and attached a pool to the VS pointing to the transparent proxy.

    Do I miss something here?

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Nov 20, 2019

    @Nicol4s

    The same error I'm getting

     

    Did you manage to solve the issue?

     

    on browser I'm getting connect error. in the PCAP file I see 503 service unavailable

    I'm using v13.1.1.5 Viprion 2250 divided into multiple partitions