redirecting htp traffic

The first question I'd ask is how you're BIG-IPs are configured. Is this an outbound forwarding VIP? FastL4? Standard? Is it encrypted traffic - or could it be?

kevin

 

many thanks for your reply

 

unfortunately i don' have enough experience to answer your questions properly so i'll give a brief description of my setup

 

users will connect to the big ip using the proxy configuration over port 8080

 

the big ip will load balance internet traffic over port 8080 between a number of upstream proxies

 

the upstream proxies will send the traffic to the internet on http/https

 

my aim is to identify http/https traffic intended for internal servers and direct that directly to those servers

 

hope this clarifies things

 

thanks again for your help

 

 

 

I'll assume then that this is NOT a standard HTTP-based virtual server configuration, which means that it'd be possible ONLY for unencrypted traffic and inspecting the TCP payload in an iRule. There's a new feature in BIG-IP 11.3 called "SSL Forward Proxy" that would allow you to decrypt and re-encrypt outbound forward proxy traffic, but I'm guessing that'd be more complex than what you need.

kevin

 

 

thanks once more

 

 

some of the internal sites are https

 

 

the big ip has three interfaces, an internal, external and management but both the internal and external are on my internal network but different vlans

 

 

does this make a difference, if so can you recommend any deployment and configuration guides

 

 

many thanks

users will connect to the big ip using the proxy configuration over port 8080is proxy ip (and port) virtual server on bigip? if yes, can you post the virtual server and pool configuration here?

 

 

tmsh list ltm virtual (virtual server name)

 

tmsh list ltm pool (pool name)

nitass

 

 

please see attached config

 

 

many thanks for your reply

 

 

ltm virtual LTM-1600-VIP {

 

destination 10.28.253.3:webcache

 

ip-protocol tcp

 

mask 255.255.255.255

 

pool PROXY-POOL

 

profiles {

 

tcp { }

 

}

 

source 0.0.0.0/0

 

source-address-translation {

 

type automap

 

}

 

 

 

ltm pool PROXY-POOL {

 

members {

 

10.37.3.20:webcache {

 

address 10.37.3.20

 

session monitor-enabled

 

state up

 

}

 

10.37.3.21:webcache {

 

address 10.37.3.21

 

session monitor-enabled

 

state up

 

}

 

10.37.3.22:webcache {

 

address 10.37.3.22

 

session monitor-enabled

 

state up

 

}

 

10.37.3.23:webcache {

 

address 10.37.3.23

 

session monitor-enabled

 

state up

 

}

 

}

 

monitor TCP-8080

 

}

 

 

vlans-disabled

 

If I'm not mistaken. I think iRule can help this.

 

 

If { url is internalsite-1.co.uk OR internalsite-2.co.uk OR hrdept.internal }{

 

choose server x.x.x.x choose specific server

 

} else {

 

choose pool PROXY-POOL Loadbalance normally to proxy server

 

}

 

}

 

 

Is this you want?

i understand request format which is sent to proxy (e.g. 10.28.253.3:8080) is different from the one to web server. so, if you want to send request to web server directly, you may have to modify the request format yourself. it is something like http forward proxy codeshare below.

 

 

HTTP Forward Proxy - v3.2

 

https://devcentral.f5.com/wiki/irules.HTTP-Forward-Proxy-v3-2.ashx

 

 

just my 2 cents.