Use F5 LTM as HTTP Proxy

Problem this snippet solves:

LTM product can be used as a HTTP Proxy for servers and PC.

This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.

How to use this snippet:

All these commands must be run in bash shell.

Create HTTP PROXY VIRTUAL SERVER

Configure variables used in next commands

Variable HTTPBaseName is used to create :

Resolver object : RESOLVER_${HTTPBaseName}
HTTP profile : http_${HTTPBaseName}
virtual server : VS_${HTTPBaseName}

HTTPBaseName="HTTP_FORWARD_PROXY"
VS_IP="192.168.2.80"
VS_PORT="8080"

create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)

tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }

create HTTP profile type explicit, using DNS resolver.

The parameter default-connect-handling allow enables HTTPS connections without SSL inspection

tmsh create ltm profile http http_${HTTPBaseName} {  defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }

create HTTP proxy Virtual server

tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}

ENABLE SSL FORWARD PROXY

This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.

Configure variables used in next commands

Variable SSLBaseName is used to create :

certificate / key pair : ${SSLBaseName}
Client SSL profile : clientssl_${SSLBaseName}
Server SSL profile : serverssl_${SSLBaseName}
virtual server : VS_${SSLBaseName}

SSLBaseName="SSL_FORWARD_PROXY"
dirname="/var/tmp"
CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"

Create self-signed certificate for CA purpose (not available in WebUI)

Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.

openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094
openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"

Import certificates in TMOS

tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; 
tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;

After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA

Create SSL profiles for SSL FORWARD PROXY

tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled }
tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }

create SSL FORWARD PROXY Virtual server

tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with  { http-tunnel } vlans-enabled }

Change HTTP EXPLICIT PROXY Default Connect Handling to Deny

tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }

Note : These commands were tested in both 12.1 and 13.1 versions.

Code :

No Code

Updated Jun 06, 2023

Version 2.0

application delivery

bash

explicit forward proxy

LTM

openssl

TMOS

24 Comments

Kevin_Davies
MVP
May 07, 2018
Any minimum version required?
Stanislas_Piro2
Cumulonimbus
May 07, 2018
I tested it in version 13.1.

All this configuration will work in version 11.5 and above, but I'm not sure command syntax is still the same between these versions.
Ashish_205344
Nimbostratus
Jun 04, 2018
Hi Stanislas, Thanks for this info. It working for me as such, but with some latency. google taking 10 sec to load, any further suggestions..??
Stanislas_Piro2
Cumulonimbus
Jun 06, 2018
In my lab (10mbps lab license on a home lab esxi) with this configuration, google is as quick with LTM as proxy as without it, even if I enable SSL FORWARD PROXY.

the main goal of this share is to show how LTM standalone works as a proxy from basics to SSL inspection.

You can change tcp profile in the virtual server to :

version 13
f5-tcp-lan client side
f5-tcp-wan server side

earlier versions
tcp-lan-optimized client side
tcp-wan-optimized server side
s3nthil_183015
Nimbostratus
Aug 16, 2018
hi, the code appears to be missing,i am assuming you used http:proxy disable and provided a forward string to route direct? I tried using ltm policy but this requires the forward to have a node, pool or vserver - rather than routing the traffic direct to the external web. please share the code if this is still valid for version 13.x
Stanislas_Piro2
Cumulonimbus
Aug 16, 2018
This is not a code but a list of all tmsh commands to create a http proxy virtual server!

All commands are in this article and working in version 13.1!
s3nthil_183015
Nimbostratus
Aug 17, 2018
Thanks Stainslas. I will give it a go.
Manish_Vashish1
Nimbostratus
Aug 21, 2018
Do we need to add Pool members. It not working for me. Getting reset connection from F5.
Stanislas_Piro2
Cumulonimbus
Aug 21, 2018
These lines are the only commands I used!

No pool required!
Stanislas_Piro2
Cumulonimbus
Sep 04, 2018
@james, The SSL decrypt feature requires SSL FORWARD PROXY license as explained in description.