Forum Discussion

kazuma's avatar
kazuma
Icon for Nimbostratus rankNimbostratus
Oct 19, 2022

How To Proxy / Tunnel External URLs Through F5

Hello,

I'm looking to essentially tunnel web requests for a select few external URLs through an F5, and I'm having trouble getting it working.

I've created a FQDN node, for an external domain which I do not own, let's say external.com.  This node auto-populates it's configuration with external IPs returned from a DNS query of external.com.

I then attached that FQDN node to a new pool, then created a new virtual server with the pool attached.

I then created an internal DNS record to point to the new VIP of the virtual server.  Let's say that record is internal.com.

I then created an irule, upon HTTP_REQUEST to re-write the host header from internal.com, to external.com.  I also created an irule upon HTTP_RESPONSE, to re-write the location header from external.com, back to internal.com.

 

When I try to connect to internal.com (the VS VIP), the connection is refused, and never gets forwarded to the FQDN node members (external.com).

Am I missing something in this config?   It seems like it should be pretty straight forward to tunnel / proxy connections for a specfic external domain through an F5, and have that external domain see the source IP of the request as the Big IP, but it seems to be a bit more difficult than anticipated.

6 Replies

  • Is there TLS involved here? Is the internal VIP supposed be encrypted and have a client SSL profile? Is the external site encrypted?

    • kazuma's avatar
      kazuma
      Icon for Nimbostratus rankNimbostratus

      Hi Kevin,

      Yes, the external site is encrypted, as well as the connection to the internal VIP. 

      I have a certificate associated with the client SSL profile which matches the internal.com DNS name pointing to the VIP, as well as the server SSL profile set to use serverssl, which I think just leverages the external.com server's certificate when brokering the connection?

      Thanks!

      • Kevin_Stewart's avatar
        Kevin_Stewart
        Icon for Employee rankEmployee

        Try taking off the client and server SSL profiles. A browser wil through an error because of the cert mismatch, so you'll probably want to test with Curl. If you can get to the site this way, then there's likely an issue in the server side SSL handshake.

        If you still can't get to the site, check that traffic is leaving the BIG-IP to the intended destination. YOu can also try to Curl directly from the BIG-IP to see if the box can even get there.

  • hello

    You configure a virtual server to process web traffic coming in on the HTTP tunnel from the explicit forward-proxy virtual server.

  • Good morning,

    You configure a virtual server to process web traffic coming in on the HTTP tunnel from the explicit forward-proxy virtual server.

    Burger King Survey