Forum Discussion

Steve_A_130918's avatar
Steve_A_130918
Icon for Nimbostratus rankNimbostratus
Nov 27, 2013

Monitor Authenticating proxy

I am trying to monitor health on a pair of Clearswift SWG appliances by connecting to external websites.

 

I have set up an HTTP monitor sending 'get http://www.bbc.co.uk/ http/1.1\r\n\r\n' and if I use a receive string of 407 the monitor works. This suggests the proxy is returning 407 Authentication required as expected.

 

If I add Username and Password to the monitor, it still works with a return string of 407, but not with 200. This suggests that the monitor isn't passing the authentication through to the Clearswift proxy.

 

Can anyone point me in the right direction for a simple HTTP health monitor through an authenticating proxy

 

Thanks

 

Steve

 

11 Replies

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account

    he proxy is telling you that it need the Proxy-Authenticate header. You are going to have to create a customer HTTP monitor, easy way to do this is with curl. If you create a proxy request with curl and use the -v it will out put the HTTP request. You can recreate it request in the HTTP monitor quite easily.

     

  • I am also looking for same kind of configuration. please post the configuration if you have implemented this.

     

    Thanks in advance.

     

    Kunal B.

     

  • Use curl as suggested by Richard to get the authentication token string. Then create an http monitor with send and receive strings similar to below.

     

    Send String

     

    GET HTTP://www.xxx.co.uk/ HTTP/1.1\r\nProxy-Authorization: Basic String from Curl Test\r\nHost: www.xxx.co.uk\r\nAccept: /\r\nProxy-Connection: Close\r\nConnection: Close\r\n\r\n

     

    Receive string

     

    HTTP/1.1 200 OK

     

  • Thanks for the reply Steve.

     

    Can you please explain in details, I am getting below http response from server,

     

    < HTTP/1.1 407 Proxy Authentication Required

     

    < Proxy-Authenticate: NEGOTIATE

     

    < Proxy-Authenticate: NTLM

     

    < Proxy-Authenticate: BASIC realm="IWA_Direct"

     

    < Cache-Control: no-cache

     

    < Pragma: no-cache

     

    < Content-Type: text/html; charset=utf-8

     

    < Proxy-Connection: close

     

    < Set-Cookie: BCSI-CS-7d06572a9586553b=2; Path=/

     

    < Connection: close

     

    < Content-Length: 3500

     

    Also Please confirm do I need to put Username and password also ?

     

    Kunal B

     

  • the Curl command should look something like:

     

    curl www.microsoft.com --http1.1 --proxy-ntlm --proxy-user : --proxy http://: -v > .\out.txt

     

    You could use proxy-basic instead of proxy-ntlm depending on auth cversions available

     

    I also created an AD user to authenticate as, which had no permissions on the network except for access to the internet via the proxy, with no password expiry.

     

  • Thanks Steve for the reply, I have tried curl as below,

     

    curl http://www.google.com --proxy 89.2.43.110:80 -U r7b:test --proxy-ntlm -v

     

    And found below reply, About to connect() to proxy 89.2.43.110 port 80 (0) * Trying 89.2.43.110... connected * Connected to 89.2.43.110 (89.2.43.110) port 80 (0) * Proxy auth using NTLM with user 'r7b'

     

    GET http://www.google.com HTTP/1.1

     

    Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=

     

    User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5

     

    Host: www.google.com

     

    Accept: /

     

    Proxy-Connection: Keep-Alive

     

    < HTTP/1.1 407 Proxy Authentication Required

     

    < Proxy-Authenticate: NTLM TlRMTVNTUAACAAAACQAJADgAAAAGgokAkREv22yFgKEAAAAAAAAAAIQAhABBAAAABQCTCAAAAA9NR1JPVVBORVQCABIATQBHAFIATwBVAFAATgBFAFQAAQAUAEYARABZAEkATgBFAFQAQgBDADEABAAaAE0ARwBSAE8AVQBQAE4ARQBUAC4AQwBPAE0AAwAwAGYAZAB5AGkAbgBlAHQAYgBjADEALgBtAGcAcgBvAHUAcABuAGUAdAAuAGMAbwBtAAAAAAA=

     

    < Cache-Control: no-cache

     

    < Pragma: no-cache

     

    < Content-Type: text/html; charset=utf-8

     

    < Proxy-Connection: Keep-Alive

     

    < Set-Cookie: BCSI-CS-7d06572a9586553b=2; Path=/

     

    < Connection: Keep-Alive

     

    < Content-Length: 3519

     

    <

     

    • Ignoring the response-body
    • Connection 0 to host 89.2.43.110 left intact
    • Issue another request to this URL: 'http://www.google.com'
    • Re-using existing connection! (0) with host 89.2.43.110
    • Connected to 89.2.43.110 (89.2.43.110) port 80 (0)
    • Proxy auth using NTLM with user 'r7b'

    GET http://www.google.com HTTP/1.1

     

    Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAAAwADAHAAAAAHAAcAcwAAAAAAAAAAAAAABoKJALAR3vHczABkAAAAAAAAAAAAAAAAAAAAAN/jh1Ml/PxUuQAlpK1a3QDWqts1zSHtiHI3YkZEWUxCMTA=

     

    User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5

     

    Host: www.google.com

     

    Accept: /

     

    Proxy-Connection: Keep-Alive

     

    < HTTP/1.1 200 OK

     

    < Date: Thu, 05 Dec 2013 11:27:00 GMT

     

    < Expires: -1

     

    < Cache-Control: private, max-age=0

     

    < Content-Type: text/html; charset=ISO-8859-1

     

    < P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

     

    < Server: gws

     

    < X-XSS-Protection: 1; mode=block

     

    < X-Frame-Options: SAMEORIGIN

     

    < Alternate-Protocol: 80:quic

     

    < Transfer-Encoding: chunked

     

    < Proxy-Connection: Keep-Alive

     

    < Connection: Keep-Alive

     

    < Set-Cookie: PREF=ID=1442564a06c7befc:FF=0:TM=1386242820:LM=1386242820:S=uEG4ulBH4lbFPP8I; expires=Sat, 05-Dec-2015 11:27:00 GMT; path=/; domain=.google.com

     

    < Set-Cookie: NID=67=mRO5WVD-coHnV6hm7SyyetuTapMZ04xB0_C1lTMT5yRlgKMI1nj_JohiIbFGm_c_eRskjfxeIccejtMzBm99QsxbrZw76pPMHRhnS5qJA859esiqFeHlQ88QBVvd0q_s; expires=Fri, 06-Jun-2014 11:27:00 GMT; path=/; domain=.google.com; HttpOnly

     

    Based on the curl output I have modified monitor with Proxy authorization parameter below is get string,

     

    "GET HTTP://www.google.com/ HTTP/1.1\r\nProxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= \r\nHost: www.google.com\r\nAccept: /\r\nProxy-Connection: Close\r\nConnection: Close\r\n\r\n"

     

    but still Pool members are showing down.