Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

HTTP FORWARD PROXY IAPP IRULE NOT WORKING

How can i get the HTTP FORWARD PROXY IAPP to work effectively. In my environment,i have a requirement to use LTM as a forward Proxy to .i have used the HTTP PROXY IAPP and edited the DNS to reflect the dns server in my environment, and i can confirm DNS is working. However,users can't browse with their proxy ip and port configured on their browsers, even though chat messages are landing

Is there any tweak that needs to be done on Irule or the likes to make it work?.

I will post the irule generated by the iapp in the comments

0
Rate this Question
Comments on this Question
Comment made 10-Oct-2017 by kazeem yusuf 212

This is the irule generated by the iapp

This is the irule generated by the iapp. when CLIENT_ACCEPTED {

# Unset everything on a new client connection.
set is_connect 0
set is_http 0
set is_https 0
set error_occurred 0
set auth_holddown 0
set request_log_line ""

if { $static::support_websense_L4_VIP_GPRS_TRANSPARENT } {
    set disable_websense_lookups 0
    foreach {a b c d} [split [IP::client_addr] .] break
    set wsp_src_ip [expr {(wide($a)<<24)+($b<<16)+($c<<8)+$d}]
    if { [active_members ${static::wsp_wisp_pool_L4_VIP_GPRS_TRANSPARENT} ] > 0 } {
        set wsp_list_cmd { set wsp_active_server_list [active_members -list ${static::wsp_wisp_pool_L4_VIP_GPRS_TRANSPARENT} ] }
        eval $wsp_list_cmd
        set wsp_member_selection [lindex [lindex $wsp_active_server_list [expr { [crc32 [IP::client_addr] ] % [llength $wsp_active_server_list] } ] ] 0 ] 
        if { not [catch {connect -timeout 100 -idle 30 -status wsp_conn_status ${wsp_member_selection}:${static::wsp_wisp_port_L4_VIP_GPRS_TRANSPARENT}} wsp_conn] == 0 && $wsp_conn ne "" } {
            if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0. "Websense server not connecting." }
            set disable_websense_lookups 1
        }
    } else {
        set disable_websense_lookups 1
    }
}

# Set up a logging handle for the context of this stream.
if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } {
    set logging_handle [HSL::open -proto UDP -pool ${static::log_destination_L4_VIP_GPRS_TRANSPARENT} ]
}

}

when HTTP_REQUEST {

# If proxy autoconfig files are requested and we are configured to hand them out, use
# the predefined rules and generate a config file to hand out to the user.
if { $static::support_proxy_autoconfiguration_L4_VIP_GPRS_TRANSPARENT } {
    if { [string tolower [HTTP::uri]] equals "/proxy.pac" || [string tolower [HTTP::uri]] equals "/wpad.dat"} {
        if { $static::plain_name_direct_L4_VIP_GPRS_TRANSPARENT } {
            set plainname_section "        if (isPlainHostName(host))\r\n"
            append plainname_section "         return \"DIRECT\";\r\n"
        } else {
            set plainname_section ""
        }
        set network_section_length [llength $static::direct_networks_L4_VIP_GPRS_TRANSPARENT]
        set network_section_count 1
        if { $network_section_length > 0  } {

            set network_section "        if ("
            foreach netitem $static::direct_networks_L4_VIP_GPRS_TRANSPARENT {
                append network_section "shExpMatch(url, \"$netitem\")"
                if { $network_section_count == $network_section_length } {
                    append network_section ")\r\n"
                    append network_section "         return \"DIRECT\";\r\n"
                } else {
                    append network_section " || \r\n         "
                    incr network_section_count
                }
            }
        } else {
            set network_section ""
        }
        set hostname_section_length [llength $static::direct_hostnames_L4_VIP_GPRS_TRANSPARENT]
        set hostname_section_count 1
        if { $hostname_section_length > 0  } {
            set hostname_section "        if ("
            foreach netitem $static::direct_hostnames_L4_VIP_GPRS_TRANSPARENT {
                append hostname_section "dnsDomainIs(host, \"$netitem\")"
                if { $hostname_section_count == $hostname_section_length } {
                    append hostname_section ")\r\n"
                    append hostname_section "         return \"DIRECT\";\r\n\r\n"
                } else {
                    append hostname_section " || \r\n         "
                    incr hostname_section_count
                }
            }
        } else {
            set hostname_section ""
        }
        set proxy_port [TCP::local_port]
        HTTP::respond 200 content [subst $static::proxy_autoconfig_base_L4_VIP_GPRS_TRANSPARENT] Content-Type "application/x-ns-proxy-autoconfig" Connection "close" Pragma "no-cache"
        HTTP::release
        TCP::close
        return
    }
}

# Clear all previous HTTP request items.
set host ""
set port ""
set new_path ""
set prefix ""
if { $static::support_websense_L4_VIP_GPRS_TRANSPARENT } {
    set wsp_message_body ""
    set wsp_message_out ""
    set wsp_username ""
    set wsp_username_length 0
    set wsp_recv_message_length 0
    set wsp_message_length 0
    set wsp_uri_length 0
}

if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "HTTP::method: [HTTP::method]: HTTP::request : [HTTP::request]"}

# First check to see what method we're handling through the proxy.
# We need to process CONNECT a little differently than other HTTP proxy
# methods, and we need to discard requests that come through with
# unsupported methods.
# Coming out of this section will be:
#  - $host : hostname or bare IP address requested
#  - $port : port of the connection requested
#  - $new_path : normalized URI with the proxy format stripped
switch -- [HTTP::method] {
    "CONNECT" {
        set is_http 0
        set is_https 0
        set request_log_line ""
        set original_request [HTTP::uri]
        set host [string tolower [getfield [HTTP::uri] ":" 1]]
        set port [getfield [HTTP::uri] ":" 2]
        if {$port eq ""}{
            set port 443
        }
        set new_path [HTTP::uri]
        HTTP::header remove "Proxy-Connection"
        HTTP::cookie remove "MRHSession"
        if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0. "Connect request from $host to $port." }
        set http_version [HTTP::version]
        set is_connect 1
        set is_https 1
    }
    "GET" -
    "PUT" -
    "POST" -
    "HEAD" -
    "PROPFIND" -
    "PROPPATCH" -
    "MKCOL" -
    "DELETE" -
    "COPY" -
    "MOVE" -
    "LOCK" -
    "UNLOCK" {
        set is_http 0
        set is_https 0
        set request_log_line ""
        set original_request [HTTP::uri]
        set scheme [string tolower [getfield $original_request ":" 1]]
        set host [string tolower [getfield [findstr $original_request "//" 2 "/"] ":" 1]]
        if { $host contains "@" } {
            set host_username ""
            set host_username [getfield $host "@" 1]
            set host [getfield $host "@" 2]
            if { $host_username contains ":" } {
                set host_password [getfield $host_username ":" 1]
                set host_username [getfield $host_username ":" 2]
            }
        }
        #FIX
        set port [getfield [findstr $original_request "//" 2 "/"] ":" 2]
        if { $port eq "" } {
            if { [info exists host_username] } {
                set prefix "${scheme}://${host_username}@${host}"
            } else {
                set prefix "${scheme}://${host}"
            }
        } else {
            if { [info exists host_username] } {
                set prefix "${scheme}://${host_username}@${host}:${port}"
            } else {
                set prefix "${scheme}://${host}:${port}"
            }
        }
        set new_path [findstr $original_request $prefix [string length $prefix] ]
        if {$port eq ""}{
            set port 80
        }
        HTTP::uri $new_path
        HTTP::header remove "Proxy-Connection"
        HTTP::cookie remove "MRHSession"
        if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0. "Get request from $host to $port. Altering from $prefix to $new_path" }
        set http_version [HTTP::version]
        set is_http 1
    }
    default {
        set requested_method [HTTP::method]
        set error_occurred 1
        HTTP::respond 405 content [subst $static::unrecognized_method_error_L4_VIP_GPRS_TRANSPARENT] Mime-Type "text/html" 
        return
    }
}

# Check to see if the host provided by the browser client is an
# IP address or a hostname. If it's an IP address, we're going to
# forgo any DNS lookups.
if { ! [catch {IP::addr $host mask 255.255.255.255}] } {
    set _ipaddress $host
    set is_ipaddress 1
} else {
    set _ipaddress [table lookup $host]
    switch -exact -- $_ipaddress {
        "" -
        "NO_IP" {
            set is_ipaddress 0
        }
        default {
            set is_ipaddress 1
        }
    }
    set is_ipaddress [expr { ($_ipaddress ne "") || ($_ipaddress equals "NO_IP") }]
}

# We don't want to arbitrarily allow any port through the proxy. If a request comes
# through that isn't on a list we expect to see for each mode (CONNECT vs. Normal),
# then abort and inform the user what they did.
if { ($is_connect) } {
    if { ($is_https) && ( [lsearch -exact $static::allow_https_to_ports_L4_VIP_GPRS_TRANSPARENT $port ] < 0 ) } {
        set error_occurred 1
        if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Port request for $host:$port disallowed by ACL for HTTPS mode. Sending HTTP response error" }
        if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } {
            HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"CONNECT $new_path HTTP/$http_version\" 403 -"
        }
        catch {TCP::respond "HTTP/1.1 403 Not Allowed

Mime-Type: text/html\r\nCache-Control: no-cache,no-store\r\nConnection: close\r\nContent-Length: [string length [subst $static::port_disallowed_error_L4_VIP_GPRS_TRANSPARENT]]\r\n\r\n[subst $static::port_disallowed_error_L4_VIP_GPRS_TRANSPARENT]\r\n\r\n"} return } } else { if { ($is_http) && ( [lsearch -exact $static::allow_http_to_ports_L4_VIP_GPRS_TRANSPARENT $port ] < 0 ) } { set error_occurred 1 if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Port request for $host:$port disallowed by ACL for HTTP mode. Sending HTTP response error" } if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"[HTTP::method] $new_path HTTP/[HTTP::version]\" 403 -" } HTTP::respond 403 content [subst ${static::port_disallowed_error_L4_VIP_GPRS_TRANSPARENT} ] Mime-Type text/html Cache-Control "no-cache,no-store" return } }

# If we're handling a CONNECT request, we've got to pretend like the
# the connection is moving so the browser doesn't time out. This is less
# than ideal, but works even with poorly written clients.
#
# We zero out any TCP payload and disable HTTP processing because from this
# point forward we're basically letting the connection talk directly to
# the remote server. This response will only fire when the server connects.
if { $is_connect } {
    TCP::payload replace 0 [TCP::payload length] ""
    TCP::collect
    HTTP::disable discard
    if { $is_ipaddress } {
        if { ($static::check_access_blocking_L4_VIP_GPRS_TRANSPARENT) } {
            if { not [class match [IP::client_addr] equals $static::block_access_datagroup_L4_VIP_GPRS_TRANSPARENT] } {
                if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "ACL failed:  $host. Sending HTTP response error" }
                catch {TCP::respond "HTTP/1.1 403 Not Allowed

Mime-Type: text/html\r\nCache-Control: no-cache,no-store\r\nConnection: close\r\nContent-Length: [string length [subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]]\r\n\r\n[subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]\r\n\r\n"} return } else { node $_ipaddress $port } } else { node $_ipaddress $port } } else { if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Got hostname: $host, calling resolver..." } set ips [RESOLV::lookup @$static::resolver_ip_L4_VIP_GPRS_TRANSPARENT -a $host] if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } {log local0.info "$host NAME::response: $ips"} set _ipaddress [lindex $ips 0] if { ($_ipaddress equals "") || ($_ipaddress equals "NO_IP") } { if { $_ipaddress equals "" } { set error_occurred 1 table add $host "NO_IP" $static::resolver_cache_lifetime_L4_VIP_GPRS_TRANSPARENT if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "DNS resolution failed for hostname: $host. Sending HTTPS response error" } if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"CONNECT $new_path HTTP/$http_version\" 504 -" } catch {TCP::respond "HTTP/1.1 504 Not Allowed\r\nMime-Type: text/html\r\nCache-Control: no-cache,no-store\r\nConnection: close\r\nContent-Length: [string length [subst $static::host_not_found_error_L4_VIP_GPRS_TRANSPARENT]]\r\n\r\n[subst $static::host_not_found_error_L4_VIP_GPRS_TRANSPARENT]\r\n\r\n"} return } else { set error_occurred 1 if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "DNS resolution failed for hostname (from cache): $host. Sending HTTPS response error" } if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"CONNECT $new_path HTTP/$http_version\" 504 -" } catch {TCP::respond "HTTP/1.1 504 Not Allowed\r\nMime-Type: text/html\r\nCache-Control: no-cache,no-store\r\nConnection: close\r\nContent-Length: [string length [subst $static::host_not_found_error_L4_VIP_GPRS_TRANSPARENT]]\r\n\r\n[subst $static::host_not_found_error_L4_VIP_GPRS_TRANSPARENT]\r\n\r\n"} return } } else { table add $host $_ipaddress $static::resolver_cache_lifetime_L4_VIP_GPRS_TRANSPARENT if { ($static::check_access_blocking_L4_VIP_GPRS_TRANSPARENT) } { if { not [class match [IP::client_addr] equals $static::block_access_datagroup_L4_VIP_GPRS_TRANSPARENT] } { if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "ACL failed: $host. Sending HTTP response error" } catch {TCP::respond "HTTP/1.1 403 Not Allowed\r\nMime-Type: text/html\r\nCache-Control: no-cache,no-store\r\nConnection: close\r\nContent-Length: [string length [subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]]\r\n\r\n[subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]\r\n\r\n"} if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"CONNECT $new_path HTTP/$http_version\" 403 -" } return
} else { set original_request "https://[getfield ${original_request} ":" 1]" if { $static::support_websense_L4_VIP_GPRS_TRANSPARENT } { if { not $disable_websense_lookups } { foreach {a b c d} [split $_ipaddress .] break set wsp_dst_ip [expr {(wide($a)<<24)+($b<<16)+($c<<8)+$d}] set wsp_url_length [string length $original_request] binary scan [string range [ md5 [ expr { [info cmdcount] * rand() } ] ] 0 3 ] H8 wsp_message_id set wsp_message_request_header "[binary format SSSH8 $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id]" set wsp_message_length [expr { [string length $wsp_message_request_header] + [string length $wsp_message_body] + 2 } ] set wsp_message_body "[binary format SSIISa${wsp_url_length}Sa${wsp_username_length} 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username]" send -timeout 1000 -status wsp_send_status $wsp_conn [binary format SSSSH8SSIISa${wsp_url_length}Sa${wsp_username_length} $wsp_message_length $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username] set wsp_recv_data [recv -status wsp_recv_status -timeout 50 $wsp_conn ] binary scan $wsp_recv_data SSSSH8SSSSa* wsp_recv_length wsp_recv_version wsp_recv_type wsp_recv_flags wsp_recv_message_id wsp_recv_lookup_code wsp_recv_lookup_desc wsp_recv_category wsp_recv_message_length wsp_recv_message if {$wsp_recv_message_length > 0 } { binary scan $wsp_recv_message a${wsp_recv_message_length}S wsp_recv_message_out wsp_recv_null } if { [info exists wsp_recv_message_id] } { if { ($wsp_message_id == $wsp_recv_message_id) } { if { $wsp_recv_lookup_code > 0 } { if { [info exists wsp_recv_message_out] } { clientside { catch {TCP::respond "HTTP/1.1 403 Not Allowed\r\nMime-Type: text/html\r\nCache-Control: no-cache,no-store\r\nConnection: close\r\nContent-Length: [string length [subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]]\r\n\r\n[subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]\r\n\r\n"} } } } } } } } node $_ipaddress $port } } else { set original_request "https://[getfield ${original_request} ":" 1]" if { $static::support_websense_L4_VIP_GPRS_TRANSPARENT } { if { not $disable_websense_lookups } { foreach {a b c d} [split $_ipaddress .] break set wsp_dst_ip [expr {(wide($a)<<24)+($b<<16)+($c<<8)+$d}] set wsp_url_length [string length $original_request] binary scan [string range [ md5 [ expr { [info cmdcount] * rand() } ] ] 0 3 ] H8 wsp_message_id set wsp_message_request_header "[binary format SSSH8 $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id]" set wsp_message_length [expr { [string length $wsp_message_request_header] + [string length $wsp_message_body] + 2 } ] set wsp_message_body "[binary format SSIISa${wsp_url_length}Sa${wsp_username_length} 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username]" send -timeout 1000 -status wsp_send_status $wsp_conn [binary format SSSSH8SSIISa${wsp_url_length}Sa${wsp_username_length} $wsp_message_length $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username] set wsp_recv_data [recv -status wsp_recv_status -timeout 50 $wsp_conn ] binary scan $wsp_recv_data SSSSH8SSSSa* wsp_recv_length wsp_recv_version wsp_recv_type wsp_recv_flags wsp_recv_message_id wsp_recv_lookup_code wsp_recv_lookup_desc wsp_recv_category wsp_recv_message_length wsp_recv_message if {$wsp_recv_message_length > 0 } { binary scan $wsp_recv_message a${wsp_recv_message_length}S wsp_recv_message_out wsp_recv_null } if { [info exists wsp_recv_message_id] } { if { ($wsp_message_id == $wsp_recv_message_id) } { if { $wsp_recv_lookup_code > 0 } { if { [info exists wsp_recv_message_out] } { clientside { catch {TCP::respond "HTTP/1.1 403 Not Allowed\r\nMime-Type: text/html\r\nCache-Control: no-cache,no-store\r\nConnection: close\r\nContent-Length: [string length [subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]]\r\n\r\n[subst $static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT]\r\n\r\n"} } } } } } } } node $_ipaddress $port }
} } } else {

# If we're not handling a CONNECT request, then we're going to strip out the
# FQDN and protocol from the fully-formed URI we just got.
# 
# Along the way, we need to handle failures to resolve DNS, caching of DNS returns
# in a table for better performance, checking to see whether the browser client
# is restricted from proxy use, and logging error conditions. Only then do we set the
# node and port to the remote host system.
    if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Got hostname: $host, calling resolver..." }
    set ips [RESOLV::lookup @$static::resolver_ip_L4_VIP_GPRS_TRANSPARENT -a $host]
    if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } {log local0.info "$host NAME::response: $ips"}
    set _ipaddress [lindex $ips 0]
    if { ($_ipaddress equals "") || ($_ipaddress equals "NO_IP") } {
        if { $_ipaddress equals "" } {
            set error_occurred 1
            table add $host "NO_IP" $static::resolver_cache_lifetime_L4_VIP_GPRS_TRANSPARENT
            if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "DNS resolution failed for hostname:  $host. Sending HTTP response error" }
            if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } {
                HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"[HTTP::method] $new_path HTTP/[HTTP::version]\" 504 -"
            }
            HTTP::respond 504 content [subst ${static::host_not_found_error_L4_VIP_GPRS_TRANSPARENT} ] Mime-Type text/html Cache-Control "no-cache,no-store"
            return 
        } else {
            set error_occurred 1
            if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "DNS resolution failed for hostname (from cache):  $host. Sending HTTP response error" }
            if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } {
                HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"[HTTP::method] $new_path HTTP/[HTTP::version]\" 504 -"
            }
            HTTP::respond 504 content [subst ${static::host_not_found_error_L4_VIP_GPRS_TRANSPARENT} ] Mime-Type text/html Cache-Control "no-cache,no-store"
            return  
        }
    } else {
        table add $host $_ipaddress $static::resolver_cache_lifetime_L4_VIP_GPRS_TRANSPARENT
        if { ($static::check_access_blocking_L4_VIP_GPRS_TRANSPARENT) } {
            if { not [class match [IP::client_addr] equals $static::block_access_datagroup_L4_VIP_GPRS_TRANSPARENT] } {
                if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "ACL failed:  $host. Sending HTTP response error" }
                HTTP::respond 403 content [subst ${static::host_disallowed_error_L4_VIP_GPRS_TRANSPARENT} ] Mime-Type text/html Cache-Control "no-cache,no-store"
                if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } {
                    HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}> [IP::client_addr] -> $host:$port \"[HTTP::method] $new_path HTTP/[HTTP::version]\" 403 -"
                }
                return  
            } else {
                if { $static::support_websense_L4_VIP_GPRS_TRANSPARENT } {
                    if { not $disable_websense_lookups } {
                        foreach {a b c d} [split $_ipaddress .] break
                        set wsp_dst_ip [expr {(wide($a)<<24)+($b<<16)+($c<<8)+$d}]
                        set wsp_url_length [string length $original_request]
                        binary scan [string range [ md5 [ expr { [info cmdcount] * rand() } ] ] 0 3 ] H8 wsp_message_id
                        set wsp_message_request_header "[binary format SSSH8 $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id]"
                        set wsp_message_length [expr { [string length $wsp_message_request_header] + [string length $wsp_message_body] + 2 } ]
                        set wsp_message_body "[binary format SSIISa${wsp_url_length}Sa${wsp_username_length} 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username]"
                        send -timeout 1000 -status wsp_send_status $wsp_conn [binary format SSSSH8SSIISa${wsp_url_length}Sa${wsp_username_length} $wsp_message_length $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username]
                        set wsp_recv_data [recv -status wsp_recv_status -timeout 50 $wsp_conn ]
                        binary scan $wsp_recv_data SSSSH8SSSSa* wsp_recv_length wsp_recv_version wsp_recv_type wsp_recv_flags wsp_recv_message_id wsp_recv_lookup_code wsp_recv_lookup_desc wsp_recv_category wsp_recv_message_length wsp_recv_message
                        if {$wsp_recv_message_length > 0 } { binary scan $wsp_recv_message a${wsp_recv_message_length}S wsp_recv_message_out wsp_recv_null }
                            if { [info exists wsp_recv_message_id] } {
                                if { ($wsp_message_id == $wsp_recv_message_id) } {
                                    if { $wsp_recv_lookup_code > 0 } {
                                        if { [info exists wsp_recv_message_out] } {
                                            clientside {
                                                TCP::payload replace 0 0 ""
                                                TCP::respond $wsp_recv_message_out
                                                TCP::close
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                node $_ipaddress $port
            }
        } else {
            if { $static::support_websense_L4_VIP_GPRS_TRANSPARENT } {
                if { not $disable_websense_lookups } {
                    foreach {a b c d} [split $_ipaddress .] break
                    set wsp_dst_ip [expr {(wide($a)<<24)+($b<<16)+($c<<8)+$d}]
                    binary scan [string range [ md5 [ expr { [info cmdcount] * rand() } ] ] 0 3 ] H8 wsp_message_id
                    set wsp_message_request_header "[binary format SSSH8 $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id]"
                    set wsp_url_length [string length $original_request]
                    set wsp_message_length [expr { [string length $wsp_message_request_header] + [string length $wsp_message_body] + 2 } ]
                    set wsp_message_body "[binary format SSIISa${wsp_url_length}Sa${wsp_username_length} 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username]"
                    send -timeout 1000 -status wsp_send_status $wsp_conn [binary format SSSSH8SSIISa${wsp_url_length}Sa${wsp_username_length} $wsp_message_length $static::wsp_api_version_L4_VIP_GPRS_TRANSPARENT 0x0089 0x0000 $wsp_message_id 0x0002 0x0000 $wsp_src_ip $wsp_dst_ip $wsp_url_length $original_request $wsp_username_length $wsp_username]
                    set wsp_recv_data [recv -status wsp_recv_status -timeout 50 $wsp_conn ]
                    binary scan $wsp_recv_data SSSSH8SSSSa* wsp_recv_length wsp_recv_version wsp_recv_type wsp_recv_flags wsp_recv_message_id wsp_recv_lookup_code wsp_recv_lookup_desc wsp_recv_category wsp_recv_message_length wsp_recv_message
                    if {$wsp_recv_message_length > 0 } { binary scan $wsp_recv_message a${wsp_recv_message_length}S wsp_recv_message_out wsp_recv_null }
                        if { [info exists wsp_recv_message_id] } {
                            if { ($wsp_message_id == $wsp_recv_message_id) } {
                                if { $wsp_recv_lookup_code > 0 } {
                                    if { [info exists wsp_recv_message_out] } {
                                        clientside {
                                            TCP::payload replace 0 0 ""
                                            TCP::respond $wsp_recv_message_out
                                            TCP::close
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            node $_ipaddress $port
        }
    }
}

# Collect the info we need to build the HSL log entry.
#
# The logs collected here will differ depending on whether the user
# is using CONNECT or proxy-style connectivity.
#
# For example:
#           Date            Source    Client-IP      Dest-HostPort   Request                            Status Length
# HTTP   : "May 15 20:03:54 ltm-proxy <client_ip> -> www.aa.com:80   "GET /sample/page.html HTTP/1.1"   200    43514
# CONNECT: "May 15 20:03:54 ltm-proxy <client_ip> -> www.aa.com:443  "CONNECT www.aa.com:443 HTTP/1.0"  200    -
if { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT && $is_https} {
    set request_log_line "[IP::client_addr] -> $host:$port \"CONNECT $host:$port HTTP/$http_version\""
} elseif { $static::enable_logging_L4_VIP_GPRS_TRANSPARENT && $is_http } {
    set request_log_line "[IP::client_addr] -> [HTTP::host]:$port \"[HTTP::method] $new_path HTTP/[HTTP::version]\""
}

}

when HTTP_RESPONSE { # In HTTP mode, complete a log entry for each response returned. # Add a header to let the browser clients know they had their connections # processed by our proxy. if { $is_http && $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { append request_log_line " [HTTP::status] [HTTP::payload length]" HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}>$request_log_line " } HTTP::header insert "Via" "F5ProxyiRule" if { $static::support_apm_L4_VIP_GPRS_TRANSPARENT && not $static::apm_transparent_L4_VIP_GPRS_TRANSPARENT } { HTTP::header insert "Set-Cookie" "MRHSession=$current_sid; path=/; domain=.$host" } }

when SERVER_CONNECTED { # Handle CONNECT mode by faking a response to the connection once we have # a server connection. Disable HTTP processing for this request and zero out # anything the client may have sent; at this point, the browser client is # now talking TCP to the remote system after we've satisfied their browser # that we are connected successfully. if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Server connected." } if { $is_connect } { clientside { TCP::respond "HTTP/1.1 200 OK Connection: Keep-Alive

" } TCP::payload replace 0 [TCP::payload length] "" if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Sending client data: [b64encode [clientside { TCP::payload }] ]" } clientside { HTTP::disable discard } TCP::respond [clientside { TCP::payload }] clientside { TCP::payload replace 0 [string length [TCP::payload]] "" TCP::release } if { $is_https && $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}>$request_log_line 200 - " } } }

when SERVER_CLOSED { if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Server closed." } }

when LB_FAILED { # Handle situations where the remote system fails to respond (mainly affected by # the TCP timeout setting). Our action is to try to inform the user. if { ($is_connect) } { if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Server connection failed. Closing client connection."} if { $is_https && $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}>$request_log_line 504 - " } clientside {TCP::close} } else { if { ($static::proxy_debug_L4_VIP_GPRS_TRANSPARENT) && ($error_occurred) } { if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Server connection failed, DNS error."} clientside { HTTP::release return } } else { if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "Server connection failed. Sending HTTP response error"} clientside { HTTP::release if { $is_http && $static::enable_logging_L4_VIP_GPRS_TRANSPARENT } { HSL::send $logging_handle "<${static::facility_L4_VIP_GPRS_TRANSPARENT}>$request_log_line 504 - " } HTTP::respond 504 content [subst ${static::host_not_responding_error_L4_VIP_GPRS_TRANSPARENT}] Mime-Type text/html Cache-Control "no-cache,no-store" set error_occurred 1 return } } } }

when CLIENT_CLOSED { if { $static::proxy_debug_L4_VIP_GPRS_TRANSPARENT } { log local0.info "client closed." } if { $static::support_websense_L4_VIP_GPRS_TRANSPARENT && not $disable_websense_lookups } { close $wsp_conn } }

0

Answers to this Question