Forum Discussion

Martin_Vlasko's avatar
Martin_Vlasko
Icon for Altocumulus rankAltocumulus
Aug 16, 2018

APM OCSP check via corporate proxy

Hi,

 

I am checking the revocation status of client certificates in APM using OCSP Auth Agent.

 

I have a AAA Server -> OCSP Responder configured with .

 

I have a host entry and static route configured, our corporate L4 firewall facing the internet is allowing this connection towards OCSP IP address.

 

This works fine until the IP of the OCSP server suddenly changes. Then the OCSP check does not work anymore and I need to update the host entry, routing entry and firewall rule with the new destination IP address.

 

This is an ugly solution and I was thinking I can let APM contacting the OCSP via the system proxy. Just the same way as, for example, I am using the system proxy to update ASM signatures with the system proxy.

 

In order to test it, I did the necessary config of the /sys db proxy.* values (as we are on 12.1.2). I am pretty sure the config is correct. I removed the host entry and routing entry. But I can see that the APM still tries to avoid the proxy and send the OCSP HTTP requests directly. And of course this is failing now as there is no host and route entry in place.

 

Why is the system proxy not being used by APM to route the OCSP requests out to the internet?

 

And how can I achieve this to work? Proxy is really my only option for a robust solution because our corporate firewalls are L4 only, and the OCSP IP address is changing quite frequently.

 

I saw this post from Kevin: https://devcentral.f5.com/articles/ocsp-through-an-outbound-explicit-proxy-29026, from which I understood that it indeed is not possible to use system proxy for OCSP calls. But why is that? Isn't it strange to have a system proxy available but not being able to use it for such obvious action?

 

And where could I find the iRule Kevin was referring to at the beginning of the article ("simple VIP and iRule that "proxifies" an outbound OCSP HTTP request")? I couldn't find this previous article he was referring to.

 

Thanks, Martin

 

2 Replies

  • But why is that? Isn't it strange to have a system proxy available but not being able to use it for such obvious action?

    System proxy is designed for the management plane, and OCSP requests exit the data plane.

    And where could I find the iRule Kevin was referring to at the beginning of the article

    That statement was more of a generalization. But the concept is pretty straight forward as long as it's unencrypted HTTP explicit proxy traffic. The biggest difference between a non-proxy and proxy HTTP request is the URL. Example:

    Non-Proxy:

    GET /images/mycat.png HTTP/1.1
    

    Proxy:

    GET http://www.site.com/images.mycat.png HTTP/1.1
    

    So all you really need to do is to get in front of the URL and change it to the proxy version, and point to an explicit proxy node or pool.