Use F5 LTM as HTTP Proxy

Problem this snippet solves:

LTM product can be used as a HTTP Proxy for servers and PC.

This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.

How to use this snippet:

All these commands must be run in bash shell.

Create HTTP PROXY VIRTUAL SERVER

Configure variables used in next commands

Variable HTTPBaseName is used to create :

  • Resolver object : RESOLVER_${HTTPBaseName}
  • HTTP profile : http_${HTTPBaseName}
  • virtual server : VS_${HTTPBaseName}

HTTPBaseName="HTTP_FORWARD_PROXY"
VS_IP="192.168.2.80"
VS_PORT="8080"

create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)

tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }

create HTTP profile type explicit, using DNS resolver.

The parameter default-connect-handling allow enables HTTPS connections without SSL inspection

tmsh create ltm profile http http_${HTTPBaseName} {  defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }

create HTTP proxy Virtual server

tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}

ENABLE SSL FORWARD PROXY

This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.

Configure variables used in next commands

Variable SSLBaseName is used to create :

  • certificate / key pair : ${SSLBaseName}
  • Client SSL profile : clientssl_${SSLBaseName}
  • Server SSL profile : serverssl_${SSLBaseName}
  • virtual server : VS_${SSLBaseName}

SSLBaseName="SSL_FORWARD_PROXY"
dirname="/var/tmp"
CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"

Create self-signed certificate for CA purpose (not available in WebUI)

Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.

openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094
openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"

Import certificates in TMOS

tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; 
tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt; 

After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA

Create SSL profiles for SSL FORWARD PROXY

tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled }
tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }

create SSL FORWARD PROXY Virtual server

tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with  { http-tunnel } vlans-enabled }

Change HTTP EXPLICIT PROXY Default Connect Handling to Deny

tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }

Note : These commands were tested in both 12.1 and 13.1 versions.

Code :

No Code
Updated Jun 06, 2023
Version 2.0