Forum Discussion

Ashish_205344's avatar
Ashish_205344
Icon for Nimbostratus rankNimbostratus
Jun 18, 2018

HTTP Forward Proxy Access FIlter

I have implemented F5 as explicit forward proxy, now to add further, i need to add some HTTP filtering so that Servers in Group A can only access external domains defined in Group A, likewaise for 100 of groups.

 

I ahve also got AFM provisioned, not sure which is the best way..?? I-RUle or AFM policy..??

 

Any suggestions or I-Rule code snippets highly appreciated. Thanks in advance.

 

1 Reply

  • Hi,

    AFM is a Layer 4 firewall. it won't filter on HTTP host.

    you can :

    • create a data group with all allowed sites:

      ltm data-group internal Proxy_allowed_hosts {
          records {
              www.f5.com { }
              www.google.fr { }
          }
          type string
      }
      
    • use this ltm policy (load it with

      load sys config merge from-terminal
      )

      ltm policy FORWARD_PROXY_FILTER {
          controls { forwarding }
          last-modified 2018-06-18:09:11:14
          requires { http http-explicit }
          rules {
              whitelist-http-proxy {
                  conditions {
                      0 {
                          http-uri
                          proxy-request
                          host
                          datagroup Proxy_allowed_hosts
                      }
                  }
              }
              whitelist-connect {
                  conditions {
                      0 {
                          http-method
                          proxy-request
                          values { CONNECT }
                      }
                      1 {
                          http-uri
                          proxy-request
                          starts-with
                          datagroup Proxy_allowed_hosts
                      }
                  }
                  ordinal 1
              }
              redirect_unknown_host {
                  actions {
                      0 {
                          http-reply
                          proxy-request
                          redirect
                          location http://www.google.fr
                      }
                      1 {
                          log
                          proxy-request
                          write
                          facility local0
                          message tcl:[HTTP::uri]
                          priority info
                      }
                  }
                  ordinal 2
              }
          }
          status published
          strategy first-match
      }