Tunnelled HTTPS

Question

Hi,&nbsp;
&nbsp;we are using a bigIP 3200 to loadbalance traffic. the traffic is loadbalanced towards a proxy server.&nbsp;
&nbsp;  traffic in        traffic out - pool2 (external)
&nbsp;   |                    | 
&nbsp;*-----------------------------*
&nbsp;|     bigip                   |
&nbsp;*-----------------------------*
&nbsp;    |
&nbsp;    proxy pool
&nbsp;    
&nbsp;    
&nbsp; normal traffic comes in on trafic in interface and is loadbalanced to the proxy pool. the proxy pool fetches the content through the traffic out.&nbsp;
&nbsp;this works perfectly as long as we to not use a http profile for the connection.
&nbsp;the problem is that some of the traffic is tunneled https traffic. the tunneled https traffic is not working having the HTTP profile active.&nbsp;
&nbsp;we need to use the http profile in order to have the current iRule active.&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp; if {[HTTP::uri] contains "url1" } {
&nbsp;  snatpool public_SNAT_POOL
&nbsp;  pool pool2
&nbsp; }
&nbsp;}&nbsp;&nbsp;
&nbsp;does anyone have an idea on what is wrong?&nbsp;
&nbsp;All help is apreciated!&nbsp;
&nbsp;Thanks!

aaronjb · Answer

I presume you are tunnelling the HTTPS using the HTTP "CONNECT" method?&nbsp;
&nbsp;If so, the HTTP state parser doesn't support that - once the connection becomes HTTPS it will be unable to parse the traffic flow and will give up, in a somewhat inelegant manner.&nbsp;
&nbsp;What you'll need to do is selectively disable the HTTP parser once you see a "CONNECT" method in the stream, and leave it disabled for the remainder of that TCP connection.&nbsp;&nbsp;
&nbsp;You'll want to look into the HTTP::disable and HTTP::detach commands from memory - let me know if nothing comes up searching here and I'll dig out an example I have from a while ago.&nbsp;
&nbsp;-- 
&nbsp;Aaron

toby_80039 · Answer

Thanks! I Apriciate the quick response!&nbsp;
&nbsp;Yes we are ussing the connect method. and your suggestion works! :D

Forum Discussion

Tunnelled HTTPS

2 Replies

Recent Discussions

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Related Content

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

SSL VPN Split Tunneling and Office 365

Tunneling with HTTP CONNECT

DNS Tunnel Mitigation v2

DNS Tunneling Protection