xunil321_122934
Aug 03, 2016Nimbostratus
Solved
HTTP Explicit Proxy and http requests
Dear all,
we have used this iApp (https://devcentral.f5.com/codeshare/apm-explicit-proxy)
to install an explicit proxy under 11.5.1 HF7 where the client's browser is pointing
to this one. In the next step we have built a VS listening to the tunnel that the explicit
proxy has established. By applying an iRule or an APM profile for this VS we are
able to control the client's web access ie only selected hosts/uri are allowed to visit.
As long as we are calling sites with httpS://..... irule/APM profile are triggered
BUT using HTTP://.... no profile of the VS is triggered, although we disabled the VS
HTTP web access is granted. Very, very strange.
Why?
Many thanks for any explanation!
Rainer
Ah, so the difference here is in how explicit proxy handles http vs. https. Https traffic is in fact sent into the tunnel to be picked up by a wildcard virtual server as you discovered, however http traffic is sent directly to the end web server requested using routing specified under network->routes. As far as forcing non-encrypted http traffic to hit that virtual server requires some irule manipulation to accomplish that. A simpler strategy then trying to "virtual" the connection over to wildcard vs is in the HTTP_PROXY_REQUEST method on the explicit proxy VS you could run some of that same logic and block connections based on uri and/or ip right there.