I tried everything and nothing worked :-(. I am running out of ideas, so either I am doing something wrong or what I need is not possible.
Idea is to have setup like that:
client -> explicit forward proxy type VS -> ForwardIP type VS -> target server
I tried plenty of combinations to pass traffic from forward proxy VS to ForwardIP VS but all failed - virtual, nexthop with snat none, translate addr disable etc.
I need to pass traffic after forward proxy VS resolves destination server from proxy request to ForwardIP server. This is my idea to be able to use AFM rules to enforce limitation os src IP:port, dst IP:port (L4 rules).
I know that it's possible to use APM ACLs but this is not very elegant and admin friendly solution :-(
Everything is failing when I try to pass traffic to ForwardIP VS.
When virtual command is used dst IP is changed to ForwardIP VS or (when wildcard VS is used) to nothing. But at least traffic is reaching ForwardIP VS.
When nexthop is used traffic is never reaching ForwardIP VS.
When nexthop with tunnel specified (tcp forward type on which ForwardIP VS is enabled) immediately I have port exhaustion message in LTM log.
Is there any way to achieve what I need or it's plain impossible?
just stumbled over this question and got an idea how this can be solved...
You could use the [sharedvar] command to store IP parameters on the front-ending VS and pass them to a back-ending VS in a VIP-targeting-VIP setup. Those variables could then be used for snat and node selection on thea back-ending VS.
Good to hear from You! Thanks for tip, I think it's nice option. Not 100% sure but I can recall that some fixes to VIP targeting VIP were planned so preserving IPs would be possible without iRule.
Maybe I am wrong, it was some time ago and I did not get back to this topic as related project was abandoned.
Hello Piotr, i think we have a current limitation for this : BUG 453354: “http explicit proxy doesn’t work when target is VIP on same box". there may be a workaround wit an irule. I test it and will update you.
Thanks for info. Not very good news.
Let's assume that I will set VS without proxy profile and then extract URL from request using HTTP:uri then disable HTTP profile using HTTP::disable (or use VS without HTTP profile at all and use TCP::collect, TCP::payload to retrieve target URL).
Then I can use RESOLV::lookup to retrieve IP of the server in URL (something what is in fact implemented in HTTP profile in Explicit mode - as far as I understand).
Is there any way to somehow create connection to target host via additional ForwardIP type VS?
Do you thing it should work in a way that ForwardIP type VS will receive TCP connection with: