HTTP Explicit Proxy and http requests

Question

Dear all,&nbsp;
we have used this iApp (https://devcentral.f5.com/codeshare/apm-explicit-proxy)&nbsp;
to install an explicit proxy under 11.5.1 HF7 where the client's browser is pointing&nbsp;
to this one. In the next step we have built a VS listening to the tunnel that the explicit
&nbsp; 
proxy has established. By applying an iRule or an APM profile for this VS we are&nbsp;
able to control the client's web access ie only selected hosts/uri are allowed to visit.&nbsp;
As long as we are calling sites with httpS://..... irule/APM profile are triggered&nbsp;
BUT using HTTP://.... no profile of the VS is triggered, although we disabled the VS
&nbsp; HTTP web access is granted. Very, very strange.&nbsp;
Why? &nbsp;
Many thanks for any explanation!&nbsp;
Rainer &nbsp;

jamessevedge_23 · Accepted Answer

Ah, so the difference here is in how explicit proxy handles http vs. https. Https traffic is in fact sent into the tunnel to be picked up by a wildcard virtual server as you discovered, however http traffic is sent directly to the end web server requested using routing specified under network->routes. As far as forcing non-encrypted http traffic to hit that virtual server requires some irule manipulation to accomplish that. A simpler strategy then trying to "virtual" the connection over to wildcard vs is in the HTTP_PROXY_REQUEST method on the explicit proxy VS you could run some of that same logic and block connections based on uri and/or ip right there.

jamessevedge_23 · Answer

Sample iRule Basic Logic
when CLIENT_ACCEPTED {

block by IP

} ; CLIENT_ACCEPTED

when HTTP_PROXY_REQUEST {
 if {[HTTP::method] eq "CONNECT"} {
   HTTP Profile will forward via tunnel to transparent proxy
  return
 }

otherwise you know it is non-tls and as such could use HTTP:: commands to parse request and decide on allow/disallow.

} ; HTTP_PROXY_REQUEST

xunil321_122934 · Answer

James,&nbsp;
things become clearer and clearer. Many thanks, but WHY does the proxy&nbsp;
handles the http/ https traffic in a different way? Any idea behind this?&nbsp;

jamessevedge_23 · Answer

This was the way the explicit proxy was designed, I cannot go into specifics as I am not aware of complete reasoning but because of the way TLS vs. non-TLS is handled using the CONNECT verb from the client side it was determined for various reasons at the time that any manipulation by HTTP traffic could be handled on the explicit VS directly as I mentioned above and then passed using routing to the end web server directly as opposed to going through another layered VS as is done for HTTPS to improve performance, etc... There is discussions about improving the options in the explicit proxy profile to potentially allow more options to this behavior in the future but as of now this is how it is designed. To allow for adding of disallowed ipuri's in a single place each of the irules (explicit+wildcard VS) could make calls to a datagroup(s) that would compare current connection ip/uri to disallowed ip/uri's in the datagroup(s) so that as an admin you would just need to update the datagroup(s) and both irules on different VS's would block those new ip/uri's dynamically based on that. Hopefully this helps!

jamessevedge_23 · Answer

One additional thought to add as to why, if the goal is big IP to act as an explicit proxy then the easiest thing would be to accept client connection and then just pass all connections out default routing.  But then for HTTPS since it would CONNECT and then try to negotiate SSL through that tunnel if big IP wanted to decrypt HTTPS at that point you would have to have another VS with a clientside and serverside SSL profile to allow decryption and then utilize full big IP feature set on decrypted traffic before passing to end webserver re-encrypted by BIG IP.  But instead of forcing HTTP to use this methodology as well even though not necessary as it is non-TLS it was decided for improved performance to allow it to just use routing and bypass that additional layered VS.  Again, not a concrete answer based on direct knowledge but just some more insight.&nbsp;

Forum Discussion

HTTP Explicit Proxy and http requests

5 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

Integrating SSL Orchestrator with Symantec ProxySG: Explicit Proxy

Integrating SSL Orchestrator with McAfee Web Gateway-Explicit Proxy

HTTP Explicit Proxy Explained in Plain English

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition-Explicit Proxy