Use F5 LTM as HTTP Proxy
Problem this snippet solves:
LTM product can be used as a HTTP Proxy for servers and PC.
This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.
How to use this snippet:
All these commands must be run in bash shell.
Create HTTP PROXY VIRTUAL SERVER
Configure variables used in next commands
Variable HTTPBaseName is used to create :
- Resolver object : RESOLVER_${HTTPBaseName}
- HTTP profile : http_${HTTPBaseName}
- virtual server : VS_${HTTPBaseName}
HTTPBaseName="HTTP_FORWARD_PROXY" VS_IP="192.168.2.80" VS_PORT="8080"
create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)
tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }
create HTTP profile type explicit, using DNS resolver.
The parameter default-connect-handling allow enables HTTPS connections without SSL inspection
tmsh create ltm profile http http_${HTTPBaseName} { defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }
create HTTP proxy Virtual server
tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}
ENABLE SSL FORWARD PROXY
This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.
Configure variables used in next commands
Variable SSLBaseName is used to create :
- certificate / key pair : ${SSLBaseName}
- Client SSL profile : clientssl_${SSLBaseName}
- Server SSL profile : serverssl_${SSLBaseName}
- virtual server : VS_${SSLBaseName}
SSLBaseName="SSL_FORWARD_PROXY" dirname="/var/tmp" CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"
Create self-signed certificate for CA purpose (not available in WebUI)
Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.
openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094 openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"
Import certificates in TMOS
tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;
After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA
Create SSL profiles for SSL FORWARD PROXY
tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled } tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }
create SSL FORWARD PROXY Virtual server
tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with { http-tunnel } vlans-enabled }
Change HTTP EXPLICIT PROXY Default Connect Handling to Deny
tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }
Note : These commands were tested in both 12.1 and 13.1 versions.
Code :
No Code
Updated Jun 06, 2023
Version 2.0
Stanislas_Piro2
Cumulonimbus
Cumulonimbus
Nicol4sNimbostratus
Hello,
Yeah I did find a solution.
Please do not forget to enable the Advanced view in the Virtual Server configuration mode !
First, create a new Tunnel interface ( this is in the VLAN menu of the BIG-IP ) :
Name : MyTunnelInterface ( choose whatever you want )
Profile : tcp-forward
Then, you have to configure 2 virtual servers :
- One VS (type Standard) is listening on TCP/8080 and ENABLED ON THE INTERFACE WHERE CLIENTS ARE COMING FROM
Important settings on this VS :
SNAT : Automap
HTTP Profile : http-explicit
- Another VS is of type "Forwarding IP" and has the following config :
Source : 0.0.0.0/0
Destination : 0.0.0.0/0
Service port : All ports
Enabled on : MyTunnelInterface ( This is very important, use the name you have chosen earlier in this guide )
Protocol : TCP ( This prevents any kind of performance penalty )
Profile : FastL4 with loose initiation and loose close enabled ( I created a new profile from the existing default FastL4 profile )
SNAT : Automap mode
And voila, you should be good to go.
This is working on the following cluster :
2x BIG IP w/ BEST bundle in HA Active / Passive mode
I hope this guide will somewhat help you.
Regards.
Abed_AL-RCirrostratus
Hi Nicol4s
I think I managed to solve the issue
I put everything in the same partition and the same route domain
then internet works
but the thing is that I need to change the next hop for this kind of traffic
when I add pool to both VS , nothing works ..
Do you have any idea on how to change the next hop for those both VS's ?
MickCirrus
Hi
I know this is an old thread, but I followed the implementation as suggested and it works fine for HTTP traffic but if i try ICMP or SMTP it fails. Any suggestions?