on
04-May-2018
09:52
- edited on
05-Jun-2023
22:02
by
JimmyPackets
Problem this snippet solves:
LTM product can be used as a HTTP Proxy for servers and PC.
This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.
How to use this snippet:
All these commands must be run in bash shell.
Variable HTTPBaseName is used to create :
HTTPBaseName="HTTP_FORWARD_PROXY" VS_IP="192.168.2.80" VS_PORT="8080"
tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }
The parameter default-connect-handling allow enables HTTPS connections without SSL inspection
tmsh create ltm profile http http_${HTTPBaseName} { defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }
tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}
This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.
Variable SSLBaseName is used to create :
SSLBaseName="SSL_FORWARD_PROXY" dirname="/var/tmp" CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"
Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.
openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094 openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"
tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;
After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA
tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled } tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }
tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with { http-tunnel } vlans-enabled }
tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }
Note : These commands were tested in both 12.1 and 13.1 versions.
Code :
No Code
I tested it in version 13.1.
All this configuration will work in version 11.5 and above, but I'm not sure command syntax is still the same between these versions.
Hi Stanislas, Thanks for this info. It working for me as such, but with some latency. google taking 10 sec to load, any further suggestions..??
In my lab (10mbps lab license on a home lab esxi) with this configuration, google is as quick with LTM as proxy as without it, even if I enable SSL FORWARD PROXY.
the main goal of this share is to show how LTM standalone works as a proxy from basics to SSL inspection.
You can change tcp profile in the virtual server to :
hi, the code appears to be missing,i am assuming you used http:proxy disable and provided a forward string to route direct? I tried using ltm policy but this requires the forward to have a node, pool or vserver - rather than routing the traffic direct to the external web. please share the code if this is still valid for version 13.x
This is not a code but a list of all tmsh commands to create a http proxy virtual server!
All commands are in this article and working in version 13.1!
Do we need to add Pool members. It not working for me. Getting reset connection from F5.
@james, The SSL decrypt feature requires SSL FORWARD PROXY license as explained in description.
@James : Can you please give the part number of this license?
I don't find this license in price list?
@Stanislas, Send me an email at j.lagermann@ so we can chat offline. The product team is making some changes to the Forward Proxy license. I'll update this once those changes are finalized.
Hello James, Could you please define what is exactly contained in the "SSL, Forward Proxy" Module License ? Is the SWG License contains also the SSL Forward Proxy ? Or if we want to run full Forward Proxy feature we have to buy both ? Is the SSL Forw Proxy is included in a Best Bundle ? (Don't think but I prefer have confirmation). Thanks, FX
@F-X Prouvost, the SSL Forward Proxy license enables the BIG-IP to dynamically generate SSL Certificates to mimic the site the client is attempting to reach. This allows the BIG-IP to decrypt the traffic for inspection. The SSL Forward Proxy license is not included with any of the Good, Better, Best bundles but it is included with SWG and SSLO.
The Standalone SSL Forward Proxy license is being discontinued for all but the Viprion models. For all other models, you have to purchase SSLO or SWG, which include the license.
I've followed the guide in order to have a simple Forward Proxy WITHOUT SSL inspection.
I'm using BIG-IP OS version 13.1.1.4
However I get the following error : 503 Service unavailable
According to some users on DevCentral, I need the module "SSL, Forward Proxy" to be activated.
This configuration works great on my VE Lab license because it includes the SSL, Forward Proxy module !
Sadly , I don't think that Stanislas Piron is right when he says that this very module is NOT required for a basic Proxy Forwarding VIP...
Any help would be much appreciated.
if ssl, forward proxy is listed in optional module and you require it, contact your local F5 sales team.
If you don't want to enable SSL decrypting, you can miss the section ENABLE SSL FORWARD PROXY
No I don't want to decrypt SSL
But is there any further requirements for F5 with partitions?
What I'm trying to say is that I implemented the above configuration but getting connection error.
In my environment I'm trying to forward this kind of traffic to another transparent proxy.
So I configured the above configuration and attached a pool to the VS pointing to the transparent proxy.
Do I miss something here?
The same error I'm getting
Did you manage to solve the issue?
on browser I'm getting connect error. in the PCAP file I see 503 service unavailable
I'm using v13.1.1.5 Viprion 2250 divided into multiple partitions
Hello,
Yeah I did find a solution.
Please do not forget to enable the Advanced view in the Virtual Server configuration mode !
First, create a new Tunnel interface ( this is in the VLAN menu of the BIG-IP ) :
Name : MyTunnelInterface ( choose whatever you want )
Profile : tcp-forward
Then, you have to configure 2 virtual servers :
Important settings on this VS :
SNAT : Automap
HTTP Profile : http-explicit
Source : 0.0.0.0/0
Destination : 0.0.0.0/0
Service port : All ports
Enabled on : MyTunnelInterface ( This is very important, use the name you have chosen earlier in this guide )
Protocol : TCP ( This prevents any kind of performance penalty )
Profile : FastL4 with loose initiation and loose close enabled ( I created a new profile from the existing default FastL4 profile )
SNAT : Automap mode
And voila, you should be good to go.
This is working on the following cluster :
2x BIG IP w/ BEST bundle in HA Active / Passive mode
I hope this guide will somewhat help you.
Regards.
Hi Nicol4s
I think I managed to solve the issue
I put everything in the same partition and the same route domain
then internet works
but the thing is that I need to change the next hop for this kind of traffic
when I add pool to both VS , nothing works ..
Do you have any idea on how to change the next hop for those both VS's ?