Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

HTTP Explicit Proxy - V11.5+

Problem this snippet solves:

This iApp configures an Explicit Proxy using the new "Explicit" Proxy Mode that was introduced into the HTTP Profile in BIG-IP 11.5.

You only need LTM or APM provisioned.

It creates all configuration components required including:

  • DNS Resolvers
  • TCP Tunnel
  • HTTP Profile (Explicit)
  • Default Connect Handling set to Allow
  • SNAT Pools (Optional)
  • SNAT Default is Automap

If you require the Explicit Proxy to listen on more than 1 port e.g 3128 and 8080, simply just create another Application Service.

Contributed by: Brett Smith

Comments on this Snippet
Comment made 13-Apr-2016 by Payal
Thanks Brett, I am using this iApp - Really helpful.
Comment made 19-Apr-2016 by Jos Baanders 0
Thanks for sharing this, how best could we filter URL's, have a whitelist of permitted sites and block all others?
Comment made 27-Apr-2016 by Eric Marquez 3
Brett, does this support proxy auth. I'm doing some testing and I would like to use my Virtual F5 as a forwarding proxy with Auth. The auth can be a single username/pass. is it possible to get this added to it?
Comment made 08-Jul-2016 by xunil321 164

Eric, we are also interested in implementing some sort of user authentication.
Did you had success with your Auth?

Comment made 13-Sep-2016 by Sebastian Maniak 262

Great work, thanks.

Comment made 16-Nov-2016 by Brett Smith

Hi Jos,

You can filter URLs, I would recommend the SWG iApp: https://devcentral.f5.com/codeshare/f5-secure-web-gateway-iapp-template

It doesn't require a SWG license in 12.1+ and you can create your own custom categories.

Comment made 16-Nov-2016 by Brett Smith

Hi Eric,

It supports Auth on the Client side. It doesn't support Proxy Chaining - this feature is due to release in BIG-IP 13.0

Comment made 13-Mar-2017 by Thorsten 64

Great iApp!! Works like a charm for HTTP and HTTPS :) Can this somehow be adapted to FTP(S), SFTP and SOCKS?


Comment made 08-May-2017 by dihris 239

Great work! I managed to deploy successfully explicit proxy for HTTP/HTTPS calls.

Brett, is there a way to control server side encryption separate from the client side without using SSL Forward Proxy features? The problem I'm trying to solve is that I have dev machines supporting clear text only than need to reach resources on the internet that support tls1.2 only. dev machine >> (clear text) >> vIP (LTM Explicit Proxy) >> (encrypted - TLS1.2) Internet Resources

I've tried different ways of using server/client ssl profiles without success. Before going with "tunnel" vIP and SSL Forward Proxy I wanted to see if there is any other way around as from what I read this solution would require additional license.

Comment made 13-Jun-2017 by Sadorect 395

This was working before but now, it just stopped working. The proxy no longer responds to requests

Comment made 04-Apr-2018 by Leo S 0


I am trying to automate creation of this iapp. So far I have got the following variables and tables:

tmsh create sys application service Proxy { template f5.explicit_proxy tables add { tmsh show /sys serviceresolver__rootresolvers { column-names { ip } rows { { row { } } } } proxy__client_vlan { column-names { vlans } rows { { row { internal } } } } } variables add { proxy__explicit__ip { value } proxy__name { value Proxy } proxy__explicit__port { value 3128 } resolver__intresolvers { value /#default# } proxy__snatpool { value /#default# } } }

and I am geting an error:

Syntax Error: incomplete command

Can anyone help get this working?

Many Thanks

Comment made 17-Aug-2018 by s3nthil 0

Thanks for sharing. This works well.

Comment made 4 months ago by NVSmithers 1

Is this designed to work with version 13.1.1? I cant seem to get it to work to save my life.