Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

iRule for web proxy for only 2 address in internet

SCRN
Altostratus
Altostratus

Hello, i create proxy by the manual
https://community.f5.com/t5/technical-articles/configure-the-f5-big-ip-as-an-explicit-forward-web-pr...

After that i want create custom iRule or other solution for next task:

source address - 5 servers in dmz zone
destination address to inet only 2 addresses: 
https://login.microsoftonline.com
https://graph.microsoft.com

first of all i need to create data gorup list with string this url and attached to irule or all all the information only in irule?

Pls can somebody you share manual or example for that solution.

4 REPLIES 4

Kai_Wilke
MVP
MVP

Hi SCRN, 

if the Explicit Forward Proxy is already working for you, you could simply attach an iRule to the Virtual Server to filter your Client IP and Destination URLs.

 

when CLIENT_ACCEPTED {	
	if { [class match -- [IP::client_addr] equals HTTP_PROXY_CLIENTS] == 1 } then {
		# Allow trusted clients...
		log local0.debug "Trusted Client = [IP::client_addr]"
	} else {
		# Drop untrusted clients...
		log local0.debug "Untrusted Client = [IP::client_addr]"
		drop
	}
}
when HTTP_PROXY_REQUEST {
	if { [class match -- [HTTP::host] equals HTTP_PROXY_ALLOW_LIST] == 1 } then {
		# Allow known URLs...
		log local0.debug "Allowed URL = [HTTP::host]"
	} else {
		# Reject unknown URLs...
		log local0.debug "Denied URL = [HTTP::host]"
		HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
		drop
	}
}

 

Note: Remove or adjust the Log lines as needed...

The iRule uses two Datagroups to specify the allowed Client-IPs and allowed destination IPs. 

Kai_Wilke_0-1670249564144.png

Note: You can enter individual Client IPs or Subnets as CIDR notation.

Kai_Wilke_1-1670249666722.png

Note: You may enter www.domain.de:443 for SSL sites and/or www.domain.de for HTTP sites. 

Cheers, Kai


iRule can do… 😉

SCRN
Altostratus
Altostratus

THX A LOT!!!

SCRN
Altostratus
Altostratus

Second questions: i need attached this irule for wildcard vip too or only for proxy vip?

Hi SCRN,

The wildcard VIP and also the HTTP Tunnel are both not needed to run an Explicit HTTP Proxy. Dont know why the author included them?

You may check a guide published by @Stanislas_Piro2 as alternative. You just need a VS, a custom HTTP Profile and a DNS resolver. Nothing more... Then attach the provided iRule to the VS hosting the Explicit Proxy.

Use F5 LTM as HTTP Proxy - DevCentral (Only apply the steps from "Create HTTP Proxy Virtual Server")

Cheers, Kai

 


iRule can do… 😉