HTTP Explicit Proxy - V11.5+

Smithy · ‎11-Mar-2015

Problem this snippet solves:

This iApp configures an Explicit Proxy using the new "Explicit" Proxy Mode that was introduced into the HTTP Profile in BIG-IP 11.5.

You only need LTM or APM provisioned.

It creates all configuration components required including:

DNS Resolvers
TCP Tunnel
HTTP Profile (Explicit)
Default Connect Handling set to Allow
SNAT Pools (Optional)
SNAT Default is Automap

If you require the Explicit Proxy to listen on more than 1 port e.g 3128 and 8080, simply just create another Application Service.

Contributed by: Brett Smith

How to use this snippet:

Payal_S · ‎13-Apr-2016

Thanks Brett, I am using this iApp - Really helpful.

Jos_Baanders_17 · ‎19-Apr-2016

Thanks for sharing this, how best could we filter URL's, have a whitelist of permitted sites and block all others?

Eric_Marquez_25 · ‎27-Apr-2016

Brett, does this support proxy auth. I'm doing some testing and I would like to use my Virtual F5 as a forwarding proxy with Auth. The auth can be a single username/pass. is it possible to get this added to it?

xunil321_122934 · ‎08-Jul-2016

Eric, we are also interested in implementing some sort of user authentication.

Did you had success with your Auth?

Sebastian_Maniak · ‎13-Sep-2016

Great work, thanks.

Smithy · ‎16-Nov-2016

Hi Jos,

¬†

You can filter URLs, I would recommend the SWG iApp: https://devcentral.f5.com/s/articles/f5-secure-web-gateway-iapp-template

¬†

It doesn't require a SWG license in 12.1+ and you can create your own custom categories.

¬†

Smithy · ‎16-Nov-2016

Hi Eric,

It supports Auth on the Client side. It doesn't support Proxy Chaining - this feature is due to release in BIG-IP 13.0

willerman · ‎13-Mar-2017

Great iApp!! Works like a charm for HTTP and HTTPS :) Can this somehow be adapted to FTP(S), SFTP and SOCKS?

Cheers

dihris_116090 · ‎08-May-2017

Great work! I managed to deploy successfully explicit proxy for HTTP/HTTPS calls.

Brett, is there a way to control server side encryption separate from the client side without using SSL Forward Proxy features? The problem I'm trying to solve is that I have dev machines supporting clear text only than need to reach resources on the internet that support tls1.2 only. dev machine >> (clear text) >> vIP (LTM Explicit Proxy) >> (encrypted - TLS1.2) Internet Resources

I've tried different ways of using server/client ssl profiles without success. Before going with "tunnel" vIP and SSL Forward Proxy I wanted to see if there is any other way around as from what I read this solution would require additional license.

Tosin_Omojola · ‎13-Jun-2017

This was working before but now, it just stopped working. The proxy no longer responds to requests

Leo_S_356957 · ‎04-Apr-2018

Hello,

I am trying to automate creation of this iapp. So far I have got the following variables and tables:

tmsh create sys application service Proxy { template f5.explicit_proxy tables add { tmsh show /sys serviceresolver__rootresolvers { column-names { ip } rows { { row { 8.8.8.8 } } } } proxy__client_vlan { column-names { vlans } rows { { row { internal } } } } } variables add { proxy__explicit__ip { value 10.51.126.5 } proxy__name { value Proxy } proxy__explicit__port { value 3128 } resolver__intresolvers { value /default } proxy__snatpool { value /default } } }

and I am geting an error:

Syntax Error: incomplete command

Can anyone help get this working?

Many Thanks

s3nthil_183015 · ‎17-Aug-2018

Thanks for sharing. This works well.

NVSmithers · ‎28-Nov-2018

Is this designed to work with version 13.1.1? I cant seem to get it to work to save my life.

viktor_kloezer · ‎16-May-2019

Hi Brett, the link seems to be not valid anymore. Can you, please provide a new one? Thanks a lot!

DevCentral

HTTP Explicit Proxy - V11.5+