Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Block HTTPS URLs using Performance L4 VS

Hi,

Is it possible to block traffic based on http host using performance l4 virtual server using it as transparent proxy? Source IP: 0.0.0.0 Destination IP: 0.0.0.0 Port: 443 (https)

Best Regards,

SM

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It's not possible to associate a ClientSSL profile with a Performance-L4 virtual server, which means you are not able to decrypt the incoming request data. As a result, it's not possible to examine the HTTP Host header, and therefore you cannot block traffic based on that content.

In order to decrypt traffic (i.e., to associate a ClientSSL profile) you must use a Standard virtual server.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

The feature to block http / https request as a transparent proxy is "ssl forward proxy". It requires a dedicated license. You can find here the documentation to configure it

0
Comments on this Answer
Comment made 15-Aug-2017 by CharlesCS 625

Note that SSL Forward Proxy requires a Standard virtual server. The original question was whether blocking traffic based on the Host value could be done using a Performance-L4 virtual server, which would preclude SSL Forward Proxy.

0
Comment made 15-Aug-2017 by Stanislas Piron 10106

I know it requires Standard VS, you already answered about this requirement :-)

I provided the full solution for the expected result even if SM asked Performance L4 VS.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you really require Performance L4 feature, you can filter on SNI header instead on host value. When a client initiate a SSL negotiation, it can send a TLS header named Server Name.

current browsers send this header with the value of the Host header (IE on Windows XP does not, new versions does it). look at this thread to check Server Name header.

I never tried to use TCP::collect in performance L4 VS. You can try this solution and update this thread if worked (or not :-) ).

0