Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

APM OCSP check via corporate proxy

Martin_Vlasko
Altocumulus
Altocumulus

Hi,

 

I am checking the revocation status of client certificates in APM using OCSP Auth Agent.

 

I have a AAA Server -> OCSP Responder configured with .

 

I have a host entry and static route configured, our corporate L4 firewall facing the internet is allowing this connection towards OCSP IP address.

 

This works fine until the IP of the OCSP server suddenly changes. Then the OCSP check does not work anymore and I need to update the host entry, routing entry and firewall rule with the new destination IP address.

 

This is an ugly solution and I was thinking I can let APM contacting the OCSP via the system proxy. Just the same way as, for example, I am using the system proxy to update ASM signatures with the system proxy.

 

In order to test it, I did the necessary config of the /sys db proxy.* values (as we are on 12.1.2). I am pretty sure the config is correct. I removed the host entry and routing entry. But I can see that the APM still tries to avoid the proxy and send the OCSP HTTP requests directly. And of course this is failing now as there is no host and route entry in place.

 

Why is the system proxy not being used by APM to route the OCSP requests out to the internet?

 

And how can I achieve this to work? Proxy is really my only option for a robust solution because our corporate firewalls are L4 only, and the OCSP IP address is changing quite frequently.

 

I saw this post from Kevin: https://devcentral.f5.com/articles/ocsp-through-an-outbound-explicit-proxy-29026, from which I understood that it indeed is not possible to use system proxy for OCSP calls. But why is that? Isn't it strange to have a system proxy available but not being able to use it for such obvious action?

 

And where could I find the iRule Kevin was referring to at the beginning of the article ("simple VIP and iRule that "proxifies" an outbound OCSP HTTP request")? I couldn't find this previous article he was referring to.

 

Thanks, Martin

 

2 REPLIES 2

Kevin_Stewart
F5 Employee
F5 Employee

But why is that? Isn't it strange to have a system proxy available but not being able to use it for such obvious action?

 

System proxy is designed for the management plane, and OCSP requests exit the data plane.

 

And where could I find the iRule Kevin was referring to at the beginning of the article

 

That statement was more of a generalization. But the concept is pretty straight forward as long as it's unencrypted HTTP explicit proxy traffic. The biggest difference between a non-proxy and proxy HTTP request is the URL. Example:

 

Non-Proxy:

 

GET /images/mycat.png HTTP/1.1

Proxy:

 

GET http://www.site.com/images.mycat.png HTTP/1.1

So all you really need to do is to get in front of the URL and change it to the proxy version, and point to an explicit proxy node or pool.

 

Kevin_Stewart
F5 Employee
F5 Employee

Martin,

 

If you look at the previously-mentioned article (https://devcentral.f5.com/articles/ocsp-through-an-outbound-explicit-proxy-29026), you'll see that I've created TWO vips:

 

  • An internal VIP that points to the proxy server
  • An application VIP with an OCSP profile

The OCSP profile points to the internal VIP. So basically, OCSP requests flow through the internal VIP, and the iRules on that VIP rewrite the URL to an upstream explicit proxy.