Use F5 LTM as HTTP Proxy

Stanislas_Piro2 · ‎04-May-2018

Problem this snippet solves:

LTM product can be used as a HTTP Proxy for servers and PC.

This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.

How to use this snippet:

All these commands must be run in bash shell.

Create HTTP PROXY VIRTUAL SERVER

Configure variables used in next commands

Variable HTTPBaseName is used to create :

Resolver object : RESOLVER_${HTTPBaseName}
HTTP profile : http_${HTTPBaseName}
virtual server : VS_${HTTPBaseName}

HTTPBaseName="HTTP_FORWARD_PROXY"
VS_IP="192.168.2.80"
VS_PORT="8080"

create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)

tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }

create HTTP profile type explicit, using DNS resolver.

The parameter default-connect-handling allow enables HTTPS connections without SSL inspection

tmsh create ltm profile http http_${HTTPBaseName} {  defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }

create HTTP proxy Virtual server

tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}

ENABLE SSL FORWARD PROXY

This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.

Configure variables used in next commands

Variable SSLBaseName is used to create :

certificate / key pair : ${SSLBaseName}
Client SSL profile : clientssl_${SSLBaseName}
Server SSL profile : serverssl_${SSLBaseName}
virtual server : VS_${SSLBaseName}

SSLBaseName="SSL_FORWARD_PROXY"
dirname="/var/tmp"
CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"

Create self-signed certificate for CA purpose (not available in WebUI)

Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.

openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094
openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"

Import certificates in TMOS

tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; 
tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;

After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA

Create SSL profiles for SSL FORWARD PROXY

tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled }
tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }

create SSL FORWARD PROXY Virtual server

tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with  { http-tunnel } vlans-enabled }

Change HTTP EXPLICIT PROXY Default Connect Handling to Deny

tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }

Note : These commands were tested in both 12.1 and 13.1 versions.

Code :

No Code

Kevin_Davies · ‎07-May-2018

Any minimum version required?

Stanislas_Piro2 · ‎07-May-2018

I tested it in version 13.1.

All this configuration will work in version 11.5 and above, but I'm not sure command syntax is still the same between these versions.

Ashish_205344 · ‎03-Jun-2018

Hi Stanislas, Thanks for this info. It working for me as such, but with some latency. google taking 10 sec to load, any further suggestions..??

Stanislas_Piro2 · ‎06-Jun-2018

In my lab (10mbps lab license on a home lab esxi) with this configuration, google is as quick with LTM as proxy as without it, even if I enable SSL FORWARD PROXY.

the main goal of this share is to show how LTM standalone works as a proxy from basics to SSL inspection.

You can change tcp profile in the virtual server to :

version 13
- f5-tcp-lan client side
- f5-tcp-wan server side
earlier versions
- tcp-lan-optimized client side
- tcp-wan-optimized server side

s3nthil_183015 · ‎16-Aug-2018

hi, the code appears to be missing,i am assuming you used http:proxy disable and provided a forward string to route direct? I tried using ltm policy but this requires the forward to have a node, pool or vserver - rather than routing the traffic direct to the external web. please share the code if this is still valid for version 13.x

Stanislas_Piro2 · ‎16-Aug-2018

This is not a code but a list of all tmsh commands to create a http proxy virtual server!

All commands are in this article and working in version 13.1!

s3nthil_183015 · ‎17-Aug-2018

Thanks Stainslas. I will give it a go.

Manish_Vashish1 · ‎21-Aug-2018

Do we need to add Pool members. It not working for me. Getting reset connection from F5.

Stanislas_Piro2 · ‎21-Aug-2018

These lines are the only commands I used!

No pool required!

Stanislas_Piro2 · ‎04-Sep-2018

@james, The SSL decrypt feature requires SSL FORWARD PROXY license as explained in description.

Stanislas_Piro2 · ‎07-Sep-2018

@James : Can you please give the part number of this license?

I don't find this license in price list?

James_Lagermann · ‎07-Sep-2018

@Stanislas, Send me an email at j.lagermann@ so we can chat offline. The product team is making some changes to the Forward Proxy license. I'll update this once those changes are finalized.

F-X_Prouvost_11 · ‎08-Nov-2018

Hello James, Could you please define what is exactly contained in the "SSL, Forward Proxy" Module License ? Is the SWG License contains also the SSL Forward Proxy ? Or if we want to run full Forward Proxy feature we have to buy both ? Is the SSL Forw Proxy is included in a Best Bundle ? (Don't think but I prefer have confirmation). Thanks, FX

James_Lagermann · ‎08-Nov-2018

@F-X Prouvost, the SSL Forward Proxy license enables the BIG-IP to dynamically generate SSL Certificates to mimic the site the client is attempting to reach. This allows the BIG-IP to decrypt the traffic for inspection. The SSL Forward Proxy license is not included with any of the Good, Better, Best bundles but it is included with SWG and SSLO.

The Standalone SSL Forward Proxy license is being discontinued for all but the Viprion models. For all other models, you have to purchase SSLO or SWG, which include the license.

RossF5 · ‎30-Apr-2019

Thankyou Stanislas - a superb solution for something I had been trying to achieve for a while! Works like a charm 🙂

Nicol4s · ‎08-May-2019

I've followed the guide in order to have a simple Forward Proxy WITHOUT SSL inspection.

I'm using BIG-IP OS version 13.1.1.4

However I get the following error : 503 Service unavailable

According to some users on DevCentral, I need the module "SSL, Forward Proxy" to be activated.

This configuration works great on my VE Lab license because it includes the SSL, Forward Proxy module !

Sadly , I don't think that Stanislas Piron is right when he says that this very module is NOT required for a basic Proxy Forwarding VIP...

Any help would be much appreciated.

Abed_AL-R · ‎20-Nov-2019

if ssl, forward proxy is listed in optional module , how to activate it ?

Stanislas_Piro2 · ‎20-Nov-2019

if ssl, forward proxy is listed in optional module and you require it, contact your local F5 sales team.

If you don't want to enable SSL decrypting, you can miss the section ENABLE SSL FORWARD PROXY

Abed_AL-R · ‎20-Nov-2019

@Stanislas Piron

No I don't want to decrypt SSL

But is there any further requirements for F5 with partitions?

What I'm trying to say is that I implemented the above configuration but getting connection error.

In my environment I'm trying to forward this kind of traffic to another transparent proxy.

So I configured the above configuration and attached a pool to the VS pointing to the transparent proxy.

Do I miss something here?

Abed_AL-R · ‎20-Nov-2019

@Nicol4s

The same error I'm getting

Did you manage to solve the issue?

on browser I'm getting connect error. in the PCAP file I see 503 service unavailable

I'm using v13.1.1.5 Viprion 2250 divided into multiple partitions

Nicol4s · ‎20-Nov-2019

Hello,

Yeah I did find a solution.

Please do not forget to enable the Advanced view in the Virtual Server configuration mode !

First, create a new Tunnel interface ( this is in the VLAN menu of the BIG-IP ) :

Name : MyTunnelInterface ( choose whatever you want )

Profile : tcp-forward

Then, you have to configure 2 virtual servers :

One VS (type Standard) is listening on TCP/8080 and ENABLED ON THE INTERFACE WHERE CLIENTS ARE COMING FROM

Important settings on this VS :

SNAT : Automap

HTTP Profile : http-explicit

Another VS is of type "Forwarding IP" and has the following config :

Source : 0.0.0.0/0

Destination : 0.0.0.0/0

Service port : All ports

Enabled on : MyTunnelInterface ( This is very important, use the name you have chosen earlier in this guide )

Protocol : TCP ( This prevents any kind of performance penalty )

Profile : FastL4 with loose initiation and loose close enabled ( I created a new profile from the existing default FastL4 profile )

SNAT : Automap mode

And voila, you should be good to go.

This is working on the following cluster :

2x BIG IP w/ BEST bundle in HA Active / Passive mode

I hope this guide will somewhat help you.

Regards.

Abed_AL-R · ‎20-Nov-2019

Hi Nicol4s

Thanks for information sharing

Well, still, also this solution is not working

I think there is some other configuration should be done when working with partitions ...

Abed_AL-R · ‎21-Nov-2019

Hi Nicol4s

I think I managed to solve the issue

I put everything in the same partition and the same route domain

then internet works

but the thing is that I need to change the next hop for this kind of traffic

when I add pool to both VS , nothing works ..

Do you have any idea on how to change the next hop for those both VS's ?

Mick · ‎07-Feb-2022

Hi

I know this is an old thread, but I followed the implementation as suggested and it works fine for HTTP traffic but if i try ICMP or SMTP it fails. Any suggestions?