Application Configs

F5 LTM as HTTP Proxy

Create HTTP PROXY VIRTUAL SERVER

Configure variables used in next commands

Variable HTTPBaseName is used to create :

Resolver object : RESOLVER_${HTTPBaseName}

HTTP profile : http_${HTTPBaseName}

virtual server : VS_${HTTPBaseName}

HTTPBaseName="HTTP_FORWARD_PROXY"

VS_IP="192.168.2.80"

VS_PORT="8080"

create DNS resolver with your DNS server (1.1.1.1 is for demo using cloudflare)

tmsh create net dns-resolver RESOLVER_${HTTPBaseName} { forward-zones replace-all-with { . { nameservers replace-all-with { 1.1.1.1:domain { } } } } route-domain 0 }

create HTTP profile type explicit, using DNS resolver.

The parameter default-connect-handling allow enables HTTPS connections without SSL inspection

tmsh create ltm profile http http_${HTTPBaseName} { defaults-from http-explicit explicit-proxy { default-connect-handling allow dns-resolver RESOLVER_${HTTPBaseName} } proxy-type explicit }

create HTTP proxy Virtual server

tmsh create ltm virtual VS_${HTTPBaseName} { destination ${VS_IP}:${VS_PORT} ip-protocol tcp mask 255.255.255.255 profiles replace-all-with { http_${HTTPBaseName} { } tcp } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled}

ENABLE SSL FORWARD PROXY

This section is not required to forward HTTPS requests but only to enable SSL inspection on HTTPS requests.

Note : Following configuration requires SSL, Forward Proxy License.

Configure variables used in next commands

Variable SSLBaseName is used to create :

certificate / key pair : ${SSLBaseName}

Client SSL profile : clientssl_${SSLBaseName}

Server SSL profile : serverssl_${SSLBaseName}

virtual server : VS_${SSLBaseName}

SSLBaseName="SSL_FORWARD_PROXY"

dirname="/var/tmp"

CASubject="/C=FR/O=DEMO\ COMPANY/CN=SSL\ FORWARD\ PROXY\ CA"

Create self-signed certificate for CA purpose (not available in WebUI)

Self-signed certificates created in WebUI doesn't have CA capability required for SSL FORWARD PROXY.

openssl genrsa -out ${dirname}/${SSLBaseName}.key 4094

openssl req -sha512 -new -x509 -days 3650 -key ${dirname}/${SSLBaseName}.key -out ${dirname}/${SSLBaseName}.crt -subj "${CASubject}"

Import certificates in TMOS

tmsh install sys crypto key ${SSLBaseName}.key from-local-file ${dirname}/${SSLBaseName}.key;

tmsh install sys crypto cert ${SSLBaseName}.crt from-local-file ${dirname}/${SSLBaseName}.crt;

After CA Certificate is imported, browse in WebUI, retrieve it and import it in client browsers trusted CA

Create SSL profiles for SSL FORWARD PROXY

tmsh create ltm profile client-ssl clientssl_${SSLBaseName} { cert-lookup-by-ipaddr-port disabled defaults-from clientssl mode enabled proxy-ca-cert ${SSLBaseName}.crt proxy-ca-key ${SSLBaseName}.key ssl-forward-proxy enabled }

tmsh create ltm profile server-ssl serverssl_${SSLBaseName} { defaults-from serverssl ssl-forward-proxy enabled }

create SSL FORWARD PROXY Virtual server

tmsh create ltm virtual VS_${SSLBaseName} { destination 0.0.0.0:https ip-protocol tcp profiles replace-all-with { clientssl_${SSLBaseName} { context clientside } serverssl_${SSLBaseName} { context serverside } http { } tcp { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans replace-all-with { http-tunnel } vlans-enabled }

Change HTTP EXPLICIT PROXY Default Connect Handling to Deny

tmsh modify ltm profile http http_${HTTPBaseName} explicit-proxy { default-connect-handling deny }

Note : These commands were tested in both 12.1 and 13.1 versions.

Ref;

https://devcentral.f5.com/s/articles/use-f5-ltm-as-http-proxy-1145