Use F5 LTM as HTTP Proxy

Problem this snippet solves:

LTM product can be used as a HTTP Proxy for servers and PC.

This code explains minimum requirements to configure proxy feature without SWG module (configurations from Explicit Forward Proxy documentation without documentation ) and without explicit proxy iApp.

How to use this snippet:

All these commands must be run in bash shell.

Create HTTP PROXY VIRTUAL SERVER

Configure variables used in next commands

Variable HTTPBaseName is used to create :

Resolver object : RESOLVER_${HTTPBaseName}
HTTP profile : http_${HTTPBaseName}
virtual server : VS_${HTTPBaseName}

HTTPBaseName="HTTP_FORWARD_PROXY"
VS_IP="192.168.2.80"
VS_PORT="8080"

create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)

tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }

create HTTP profile type explicit, using DNS resolver.

The parameter default-connect-handling allow enables HTTPS connections without SSL inspection

tmsh create ltm profile http http_${HTTPBaseName} {  defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }

create HTTP proxy Virtual server

tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}

ENABLE SSL FORWARD PROXY

This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.
Note : Following configuration requires SSL, Forward Proxy License.

Configure variables used in next commands

Variable SSLBaseName is used to create :

certificate / key pair : ${SSLBaseName}
Client SSL profile : clientssl_${SSLBaseName}
Server SSL profile : serverssl_${SSLBaseName}
virtual server : VS_${SSLBaseName}

SSLBaseName="SSL_FORWARD_PROXY"
dirname="/var/tmp"
CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"

Create self-signed certificate for CA purpose (not available in WebUI)

Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.

openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094
openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"

Import certificates in TMOS

tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key; 
tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;

After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA

Create SSL profiles for SSL FORWARD PROXY

tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled }
tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }

create SSL FORWARD PROXY Virtual server

tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with  { http-tunnel } vlans-enabled }

Change HTTP EXPLICIT PROXY Default Connect Handling to Deny

tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }

Note : These commands were tested in both 12.1 and 13.1 versions.

Code :

No Code

Updated Jun 06, 2023

Version 2.0

application delivery

bash

explicit forward proxy

LTM

openssl

TMOS

24 Comments

Nicol4s
Nimbostratus
Nov 20, 2019
Hello,
Yeah I did find a solution.

Please do not forget to enable the Advanced view in the Virtual Server configuration mode !

First, create a new Tunnel interface ( this is in the VLAN menu of the BIG-IP ) :
Name : MyTunnelInterface ( choose whatever you want )
Profile : tcp-forward

Then, you have to configure 2 virtual servers :
One VS (type Standard) is listening on TCP/8080 and ENABLED ON THE INTERFACE WHERE CLIENTS ARE COMING FROM
Important settings on this VS :
SNAT : Automap
HTTP Profile : http-explicit

Another VS is of type "Forwarding IP" and has the following config :
Source : 0.0.0.0/0
Destination : 0.0.0.0/0
Service port : All ports
Enabled on : MyTunnelInterface ( This is very important, use the name you have chosen earlier in this guide )
Protocol : TCP ( This prevents any kind of performance penalty )
Profile : FastL4 with loose initiation and loose close enabled ( I created a new profile from the existing default FastL4 profile )
SNAT : Automap mode

And voila, you should be good to go.

This is working on the following cluster :
2x BIG IP w/ BEST bundle in HA Active / Passive mode

I hope this guide will somewhat help you.

Regards.
Abed_AL-R
Cirrostratus
Nov 20, 2019
Hi Nicol4s
Thanks for information sharing
Well, still, also this solution is not working
I think there is some other configuration should be done when working with partitions ...
Abed_AL-R
Cirrostratus
Nov 21, 2019
Hi Nicol4s
I think I managed to solve the issue
I put everything in the same partition and the same route domain
then internet works
but the thing is that I need to change the next hop for this kind of traffic
when I add pool to both VS , nothing works ..
Do you have any idea on how to change the next hop for those both VS's ?
Mick
Altocumulus
Feb 08, 2022
Hi
I know this is an old thread, but I followed the implementation as suggested and it works fine for HTTP traffic but if i try ICMP or SMTP it fails. Any suggestions?