NimbostratusiRule - SSL Forward proxy bypass, some sites won't work.
I have a F5 BIG-IP working as a forward ssl proxy, but some sites just won't work. Thats why I have developed a iRule to have a bypass list based on IP addresses.
Traffic-flow is like this.
Client -> Catch All VS for all traffic, or VS with port 443 for SSL traffic -> iRule -> Forward to pool that contains a Checkpoint - > Checkpoint routing points back to F5 -> New Catch all VS that forwards traffic and Automap -> Internet router -> Internet.The start of the iRule:
when CLIENT_ACCEPTED {
log local0.alert "[IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port]"
On TCP session initiation, we dont know if this is going to be SSL or otherwise
so disable SSL and HTTP profiles and then collect the payload
if { [ class match [IP::local_addr] equals bypass-dst ] } {
log local0.alert "*** Bypass SSL for IP [IP::client_addr]:[TCP::client_port] --> [IP::local_addr]:[TCP::local_port]"
SSL::disable clientside
SSL::disable serverside
HTTP::disable
pool pool-checkpoint-internal
}
The iRules works for most sites, we then get the proper certificates and not the internal generated one. But there is still some sites that won't work.
For example: https://www.fulfilment-portal.stralfors.se/ is the one I am having issues with now. This is a TLS1.0 site with old ciphers, so I was thinking the F5 is dropping the connection based on that? But I have no ssl-profiles associated with the Catch All VS that handles Automap and forwards to internet. So the F5 should not do anything with the traffic? Or is there some interface\self-ip setting I need to tweak?
It's kinda frustrating to not be able to let traffic flow directly trough, I don't want the F5 to change or do anything with the traffic on the bypass list.
