Proxy OCSP request

You can configure a virtual server to pass the traffic through LTM. You could configure the virtual server to be very specific (only the IP and port of the OCSP server) or very generic (any IP and any port). You would probably want to enable the virtual server only on the VLAN that the "client" is coming in on. If you have a single gateway, you can use a forwarding IP virtual server with no pool. LTM will use the routing table to select a destination gateway. Or if you have multiple gateways, you can configure a pool of the gateways and then use a Performance L4 virtual server.

 

 

You can check the LTM configuration guide for your version on AskF5 for details.

 

 

Aaron

I know this thread is old but I'm attempting to do this exact thing and can't seem to get it working.

 

 

Heres my anonymized info:

 

proxy server: 10.0.0.1:80

 

ocsp server: 75.0.0.1:80

 

 

I have created a VIP matching the ocsp responder IP address which forwards all traffic to a pool containing the proxy server as a member.

 

 

I have confirmed a valid response from the OCSP responder when I use openssl with both the host and path options:

 

openssl ocsp -CAfile ./CA.pem -issuer ./Issuer.pem -host 10.0.0.1:80 -path http://ocspserver/ocsp -cert CertToCheck

 

 

However I can’t confirm with openssl and just the path:

 

openssl ocsp -CAfile ./CA.pem -issuer ./Issuer.pem –url http://ocspserver/ocsp -cert CertToCheck

 

 

Can I configure the authenication profile to use the path and host flags and go that route? If not where am I going wrong with the VIP/Pool combo?

 

 

Sheigh

Doesn't look like it. Perhaps you can describe your issue in detail and we'll get this one solved!

Looks like the solution is here:

 

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2156805/showtab/groupforums/Default.aspx

 

 

and here:

 

 

https://devcentral.f5.com/wiki/iRules.Virtual_to_enable_proxy-unaware_applications_to_make_outbound_TCP_connections_via_a_HTTP_CONNECT_method.ashx

My understanding is that iRule

 

Virtual_to_enable_proxy-unaware_applications_to_make_outbound_TCP_connections_via_a_HTTP_CONNECT_METHOD

 

( https://devcentral.f5.com/wiki/iRules.Virtual_to_enable_proxy-unaware_applications_to_make_outbound_TCP_connections_via_a_HTTP_CONNECT_method.ashx )

 

will initiate a TLS tunnel thru the proxy to an SSL enabled web server.

 

 

Are there any similar methods that may be used when the target web server is non-SSL, HTTP only?

 

 

Use Case

 

-----------

 

Certificate authentication where the OCSP server can only be accessed through a proxy and the OCSP server is HTTP only.

 

 

 

What has been tried and does not work

 

------------------------------------------------

 

 

serverside { TCP::respond "POST http://ocspserver.com [append request_headers $request_payload]" }

 

 

where "POST /" was stripped from $request_headers and $request_payload is binary.

 

 

LTM 10.2.3