HTTP Explicit Proxy - V11.5+
Problem this snippet solves: This iApp configures an Explicit Proxy using the new "Explicit" Proxy Mode that was introduced into the HTTP Profile in BIG-IP 11.5. You only need LTM or APM provisioned. It creates all configuration components required including: DNS Resolvers TCP Tunnel HTTP Profile (Explicit) Default Connect Handling set to Allow SNAT Pools (Optional) SNAT Default is Automap If you require the Explicit Proxy to listen on more than 1 port e.g 3128 and 8080, simply just create another Application Service. Contributed by: Brett Smith How to use this snippet:How to keep the internal URL in browser address bar and point to external website
Is there a way to keep internal web address all the time and point it to public URL? Let's say I have internal web address called honest2.company.com which has 10.10.2.35 and have public website hosted on Azure let's say abc123pqr456xyz789.azurewebsites.net and I create a VIP honest2_company_http VIP for 10.10.2.35; now anyone from my company access http://honest2.company.com for users the URL always remain as http://honest2.company.com but it will display content of abc123pqr456xyz789.azurewebsites.net Is it possible via iRule, forward or reverse proxy or any other way? Please give me some pointers or clue.
Forward proxy with SSL passthrough - SWG license required?
Hi, At one site with a single v15 VE I need to proxy outbound traffic, but without SSL inspection. Most docs relating to SSL passthrough assume that targets are internal and pooled but this is not my scenario: internal clients must connect to numerous (but specified) external URLs outside my control, and whose IPs are constantly changing. This similar query states solved via iApp but does not specify which one, or much detail on the final config. Regarding the license aspect, other proxy-related posts refer to the need for SWG license (which I don't have) - would I need this? The documentation for this use-case is unclear; any comments/tips gratefully received! Cheers, auto
Squid forward caching proxy server conflicting with Load Balancer; images, JS, CSS not rendering in application
Have an interesting one here that I hope others can help unravel. A user tells me that the website application, which sits behind an F5 LB, is not rendering properly: E.g.: is missing images, stylesheets, javascript files, and the like. And it's not just this user but a colleague at his workplace has the same issue and seemingly others in the company also can reproduce this issue. I will say that this client (as in the company) is the only one who has reported such an issue. No other companies who use the application are reporting pages not rendering content properly. He had tried testing with a work laptop, work phone, personal phone, over the company network, cellular network, and home network and using multiple browsers. It was consistent across multiple browsers. I asked him to clear cache and cookies and that did not help. Here are the results of his testing: Work laptop on home network: Pass. Work laptop on company network : Fail. Work laptop at their customer's location (possibly connected to customer's network): Fail Work phone on company network: Fail. Work phone on cellular network (Verizon)*: Fail. Personal phone on cellular network (AT&T)*: Pass. Work colleague of user laptop connected to said colleague's phone configured as hotspot (Sprint) (not sure if devices are work or personal)**: **This was conducted while on company premises. It didn't seem to matter what browser was employed. I didn't get a report that it worked in one browser but not another, for instance. To make a long story short, I asked him to send me a fiddler log and the logs showed something that I cannot reproduce on my end. The Fiddler log shows the page loaded with HTTP 200 but the content on the page (i.e. JavaScript files, stylesheets, images) show HTTP 304. In the response headers, under Transport, for all requests, I see Connection: close and Via: 1.1 {unique ID} (squid/3.5.23) (The unique ID is some kind of specific value. It might be sensitive information so I decided to not include it in this post). For , the response header Cache shows: X-Cache: MISS from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} For , the response header Cache shows: X-Cache: HIT from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} I don't recall seeing anything like this before. It looks to be Squid, a caching and forward proxy server, that is sitting in front of the client and making requests to the LB. Since this company is the only one who has reported this issue and I cannot reproduce it on my end, it's probably safe to say that either this company is running Squid, their ISP is running Squid, or even both. I pressed the user to inquire with the company's IT if they are running any proxies and the answer was no. It's certainly possible the company's IT could be mistaken. Today, the user says that he came into his office and everything is working now. He tried Firefox, IE, wireless network, cellular network and does not understand why it's working. The likely possibilities I can think of as to what and why is: Squid cache was flushed, which means this problem may return in the future. Squid was not configured properly by company's IT/ISP and now it is, thus resolving the issue. Squid was taken offline and the client is connecting directly to the LB now. What I am very concerned about is what happens if the company reports the same issue or maybe another company who is running Squid or some other forward caching/proxy server reports the same issue? I really don't know if this is something where I have to tell the user that this is not our problem, this is your IT infrastructure and/or your local ISP's problem. In other words, whether the Squid server is configured properly or not, is this something where the LB needs to be configured such that it works around the problem? Does that make sense? If there is a configuration change that I need to enact on the LB, what are these changes and what are step-by-step instructions? I'm sorry for the long-winded explanation but I'm trying to be detailed and thorough with this. Thank you very much.
Load balance squid forward proxy with SNAT
Hi All, Obligatory first post thank you to everyone on Devcentral, This is by far the best vendor help site... thanks to Joe Pruitt its also a wicked Powershell wiki ;) Is anyone load balancing squid in the following way, and have you ever ran into issues with the HTTPS CONNECT method through a "standard" F5 VIP with http profile enabled? I've read of issues for pre 10.x software but haven't seen any problems thus far. Retaining the ability to apply irules is ideal. Load balanced pool of squid servers running in non-transparent mode, this is behind a VIP using SNAT. To ensure our squid ACL's still work behind SNAT the following needs to be added to squid.conf acl bigip_stage src 10.26.6.1 follow_x_forwarded_for allow bigip_stage Squid by default follows the indirect IP instead of real IP (if follow_x_forwarded_for is allowed for the client address Irule adds XFF or overwrites if already present. No persistence configured BigIP Version: 11.4 Thanks for the assistance
SSL forward proxy integration with FireEye to inspect HTTPS
We are trying to integrate F5 with FireEye to be able to inspect HTTPS traffic with the FireEye NX solution. We started off by creating a simple SSL forward proxy setup to verify the SSL proxy functionality as follows. We used the IAPP f5.airgap_egress.v1.0.0rc4 and modified some details, like we created a separate virtual server for 443 for testing purposes. Considerations Some applications do not work when SSL interception is enabled like Skype. It is needed to have a full list of host names, IP destination of traffic that cannot be decrypted and has to be excluded. SSL forward proxy only works if clients default gateway is self IP of F5. If external gateway is used all traffic is not being intercepted or matched by the virtual servers. SNAT has to be enabled otherwise connections are not being established. Downside is that FireEye is unable to see the original source IP address. Perhaps HTTP header X-forwarded-for will solve this. SSL forward proxy with route domains Lab setup After setting up the basic SSL forward proxy we continued creating to route domains. Created to routes one from route domain 0 to route domain 1 and one from route domain 1 to the external router. For your information we used only 1 Big IP device. Considerations All traffic works fine UDP, HTTP, but HTTPS always results in an SSL error message, because there are two SSL client sessions. To be able to decrypt the traffic and forwarding it unencrypted from route domain 0 to route domain 1 we have to disable SSL on the server side on virtual server wildcard 443 in route domain 0 and we have to disable client side ssl on the SSL wildcard virtual server located in route domain 1 so it will accept connections unencrypted. The following Irule is being used to simply disable SSL traffic on the server side communicating towards route domain 1. On the SSL wildcard virtual server in route domain 1 we disable Client ssl profile and enable server SSL to re-encrypt the connection. Now when we try to open a SSL website like gmail.com we receive the following error. It happens with every SSL website w In Wireshark we observer that the handshake is failing to the Gmail website, but the client proxy SSL connection is successfully setup with TLS 1.2. The TLS session towards google is TLSv1, so perhaps that’s the problem here. Does anyone has some recomendations why this is happening?Add banner to HTML Pages with no control over HTTP code
I'm quite new to iRules, but I have a requirement to have the F5 add a banner message at the top of certain webpages. We aren't able to modify the source HTML of the pages though. Is this possible with either iRules or content profiles? A bit more background: The F5 is acting as a forward proxy for Internet access. Our management have requested that we add a warning message to certain websites, but not block them entirely. Thanks in advanceForwarding Virtual Servers, SNAT Pools, and Port Collisions
So, I have a Forwarding(IP) Virtual Server setup with it's own SNAT pool and Source Port set to change. The SNAT pool currently has four IPs assigned to it. The Virtual Server has a custom FastL4 Profile assigned with a 30 second TCP Close Timeout and Loose Close enabled. This forwarding server is used to hit a single external IP with which we do a rather large number of transactions, in the area of 500 connections per second at peak usage. We are running into an issue with session collisions on a small number of these connections where the remote host has not released the four-tuple for reuse when we attempt to reuse it. This causes the connection attempts to timeout. This is occuring any time we attempt to reuse a given four-tuple in less than 16 seconds; any attempts that wait at least 16 second succeed. With the 4 IPs and 500 connections per second we should be able to go for 524.28 seconds (65535 port/IP * 4 IPs / 500 ports/second) before needing to reuse ports. Based on my understanding of the TCP Close Timeout this should force any connections to wait 16 seconds before attempting to reuse a given four-tuple after the connection is successfully closed, however this does not appear to be happening. Looking at packet captures I see the same four-tuples being reused in at little as 1.6 seconds. Does anyone know of a way of forcing an LTM to wait for a given time period before allowing that four-tuple to be reused for connections flowing through a Fordwarding(IP) Virtual Server? I've put in a ticket with F5 support, but haven't been able to get anywhere following that route, anyone on DevCentral have any tips?
F5 LTM AS A FORWARD PROXY/TMG REPLACEMENT FOR HTTP/HTTPS FOR MOBILE USERS
How can the F5 be used as a Forward Proxy for mobile users to the internet. My initial setup included the mobile users sending requests to F5,which sends requests to Traffic Servers,and Traffic servers have another leg which sends requests to the internet. The traffic servers however are capping (capacity),and so,there is a requirement for the F5 to be used as a FORWARD PROXY for mobile users. Kindly list the steps to follow, e.g, 1,create standard virtual server, 2, use the irule HTTP Forward Proxy - v3.2 e.t.c Thanks
LTM ip forwarding for outbound traffic over two gateways
Hi, I configured a LTM in my lab as a forward proxy for outbound traffic. The vs uses a gateway pool which contains two gateways (linux based in ip forwarding mode). This pool is also the default gateway for the BIG-IP itself. I configured on the pool "action on service down" and set it to "reselect". The problem is when I open a wget session on a client that uses the vs for downloading an iso file from the internet the session is just ready as long as the specific gateway pool member is available. If the specific pool member goes down for some reason the session will be broken. How is it possible to configure LTM in load balance per packet mode? Thank you, bb
