Forum Discussion

LeeWild's avatar
LeeWild
Icon for Nimbostratus rankNimbostratus
Nov 20, 2019

DNS resolver iRule

Hello Everyone,

 

This is my first time using iRules and posting to this forum, so if the upcoming question is lacking knowledge then that's the reason.

 

We have a network behind an F5 that is attempting to connect to the Cisco Smart Licence service. The service itself on the switch uses a URL to connect with. Traffic is hitting the F5 from the source address of the switch to a destination VIP on port 8080 ('Standard' Virtual Server configured on F5).

 

Our current iRule statement is detailed below:

 

when HTTP_REQUEST {

  if {[class match [HTTP::host] equals license_url_grp]} {

       if {[class match [IP::client_addr] equals license_client_grp] } {

       return;

  } else {

      log local0. "dropped connection my ip address[IP::client_addr]"

       reject

   }

   }

}

 

 

The 'license_url_grp' contains a number of URLs related to Cisco Smart Licensing.

 

The 'license_client_grp' contains the network that the switch is located on.

 

We are pointing to Google DNS servers at 8.8.8.8 and 8.8.4.4. When using the nslookup command from tmsh, the URLs in the 'license_url_grp' resolve correctly.

 

The tcpdump output on the F5 is reporting the details below:

 

HTTP: CONNECT tools.cisco.com:443 HTTP/1.0 in slot1/tmm2 lis=/Common/vf-license-proxy_8080_vip

 

So I just have a number of questions:

 

  1. Does the Virtual Server (VIP address on port 8080) have to match the port 443 in the Smart Licence requestas per the tcpdump output?
  2. Does the iRule format look okay?

 

Thanks again for your help.

 

Regards,

 

Lee

 

 

application delivery
LTM

3 Replies

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Nov 20, 2019

    That request is a Proxy request (CONNECT).

    Is the F5 Virtual server configured as the HTTP Proxy for the clients, or is the pool member of the virtual server the Proxy server?

     

    If the F5 Virtual server is configured as the Proxy, then you need a http profile that is configured as an Explicit Proxy

    K40243113: Overview of the HTTP profile

     

    Proxy Mode

    The proxy mode setting determines whether the virtual server operates in reverse, explicit, or transparent mode. The proxy mode offers different HTTP enforcement options for the profile, and allows you to configure the system to act as a gateway in the case of explicit proxy mode. The following proxy mode options are available:

    • Explicit - Changes the enforcement options for the profile and enables the BIG-IP system to process HTTP proxy requests and function as a gateway. By configuring browser traffic to use the proxy, you can control whether to allow or deny a requested connection, based on configured policies. The Explicit Proxy Mode requires a DNS resolver, specified in the Explicit Proxy area of the screen.

     

    > So I just have a number of questions:

    1.  Does the Virtual Server (VIP address on port 8080) have to match the port 443 in the Smart Licence request as per the tcpdump output?

     

    No - either the request is passed on to a Proxy server pool member, or is directly proxied by the F5 using the http profile (with the Explict Proxy mode set). In either case, the traffic is arriving on port 8080.

     

    2.Does the iRule format look okay?

     

    No. That request does not have a Host header, so HTTP::host will not be specified.

    You need to use URI::host to extract the host from the request URI

    [URI::host [HTTP::uri]]

     

     

  • LeeWild's avatar
    LeeWild
    Icon for Nimbostratus rankNimbostratus
    Nov 21, 2019

    Hello S Blakely,

     

    Thanks for your quick and detailed response. Here are our details:

     

    Virtual Server configured with a VIP address

    HTTP Profile - http-explicit, **http-explicit-proxy-vip**, external-resolver,

    **Customer specific profile inheriting http-explicit parent profile settings

     

    Referring to the previous questions and your answers:

     

    1. No - either the request is passed on to a Proxy server pool member, or is directly proxied by the F5 using the http profile (with the Explict Proxy mode set). In either case, the traffic is arriving on port 8080. - The traffic is arriving on port client-side or server-side, please clarify this statement? The communication needs to be on port 443 on the internet side after the traffic leaves the proxy. The internet side is expecting a request on port 443 not 8080.
    2. I've modified the iRule now with your details above. Awaiting a testing window from the customer.

     

    Again really appreciate the help with this. Thanks.

     

     

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee
      Nov 21, 2019

      OK - so the virtual is acting as an explicit proxy.

       

      Client side traffic is port 8080 and unencrypted.

       

      The http profile (explicit proxy) sees an incoming CONNECT request to  tools.cisco.com:443

      At this point the BigIP uses the configured DNS resolver to resolve tools.cisco.com, and opens a TCP connection to port 443 - this is automatic, and uses the host:port combination in the URI of the CONNECT request.

      The http profile responds to the client with a HTTP/1.0 200 OK to establish the proxy tunnel, and the client then sends a TLS ClientHello. This uses the existing port 8080 connection from the client to the BigIP virtual, and the BigIP translates this to the port 443 connection on the server-side.

       

      From this point on, the BigIP is just a relay, passing the TLS packets from client to destination server, in the same way any HTTP proxy does - no snooping, no interfering - just port and address translation.

       

      If you want to look inside those packets, you need F5 SSLO, and that's a whole other story.