Use F5 LTM as HTTP Proxy
Problem this snippet solves:
LTM product can be used as a HTTP Proxy for servers and PC.
This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.
How to use this snippet:
All these commands must be run in bash shell.
Create HTTP PROXY VIRTUAL SERVER
Configure variables used in next commands
Variable HTTPBaseName is used to create :
- Resolver object : RESOLVER_${HTTPBaseName}
- HTTP profile : http_${HTTPBaseName}
- virtual server : VS_${HTTPBaseName}
HTTPBaseName="HTTP_FORWARD_PROXY" VS_IP="192.168.2.80" VS_PORT="8080"
create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)
tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }
create HTTP profile type explicit, using DNS resolver.
The parameter default-connect-handling allow enables HTTPS connections without SSL inspection
tmsh create ltm profile http http_${HTTPBaseName} { defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }
create HTTP proxy Virtual server
tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}
ENABLE SSL FORWARD PROXY
This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.
Configure variables used in next commands
Variable SSLBaseName is used to create :
- certificate / key pair : ${SSLBaseName}
- Client SSL profile : clientssl_${SSLBaseName}
- Server SSL profile : serverssl_${SSLBaseName}
- virtual server : VS_${SSLBaseName}
SSLBaseName="SSL_FORWARD_PROXY" dirname="/var/tmp" CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"
Create self-signed certificate for CA purpose (not available in WebUI)
Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.
openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094 openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"
Import certificates in TMOS
tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;
After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA
Create SSL profiles for SSL FORWARD PROXY
tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled } tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }
create SSL FORWARD PROXY Virtual server
tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with { http-tunnel } vlans-enabled }
Change HTTP EXPLICIT PROXY Default Connect Handling to Deny
tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }
Note : These commands were tested in both 12.1 and 13.1 versions.
Code :
No Code
Any minimum version required?
- Stanislas_Piro2Cumulonimbus
I tested it in version 13.1.
All this configuration will work in version 11.5 and above, but I'm not sure command syntax is still the same between these versions.
- Ashish_205344Nimbostratus
Hi Stanislas, Thanks for this info. It working for me as such, but with some latency. google taking 10 sec to load, any further suggestions..??
- Stanislas_Piro2Cumulonimbus
In my lab (10mbps lab license on a home lab esxi) with this configuration, google is as quick with LTM as proxy as without it, even if I enable SSL FORWARD PROXY.
the main goal of this share is to show how LTM standalone works as a proxy from basics to SSL inspection.
You can change tcp profile in the virtual server to :
-
version 13
- f5-tcp-lan client side
- f5-tcp-wan server side
-
earlier versions
- tcp-lan-optimized client side
- tcp-wan-optimized server side
-
version 13
- s3nthil_183015Nimbostratus
hi, the code appears to be missing,i am assuming you used http:proxy disable and provided a forward string to route direct? I tried using ltm policy but this requires the forward to have a node, pool or vserver - rather than routing the traffic direct to the external web. please share the code if this is still valid for version 13.x
- Stanislas_Piro2Cumulonimbus
This is not a code but a list of all tmsh commands to create a http proxy virtual server!
All commands are in this article and working in version 13.1!
- s3nthil_183015Nimbostratus
Thanks Stainslas. I will give it a go.
- Manish_Vashish1Nimbostratus
Do we need to add Pool members. It not working for me. Getting reset connection from F5.
- Stanislas_Piro2Cumulonimbus
These lines are the only commands I used!
No pool required!
- Stanislas_Piro2Cumulonimbus
@james, The SSL decrypt feature requires SSL FORWARD PROXY license as explained in description.