How to: Configure HTTP Transparent Inline Service¶
Overview¶
An Inline HTTP Transparent service is a network configuration that allows for the inspection and processing of HTTP (Hypertext Transfer Protocol) traffic in a transparent manner. The term “inline” indicates that the service is inserted directly into the network path, allowing it to intercept and analyze traffic as it flows through the network.
It necessitates distinct “to-service” and “from-service” networks. This ensures that traffic flows from the BIG-IP to the device on one network and returns to the BIG-IP via a separate network. Although functionally equivalent to an inline Layer 3 (L3) inspection device, this proxy device specifically manages decrypted HTTP traffic.
In an HTTP Transparent Inline setup, the proxy intercepts and processes HTTP traffic without requiring explicit configuration on the client side. Clients are typically unaware that their traffic is being directed through a proxy.
Procedure¶
The following example creates an HTTP Transparent Inline inspection service using the BIG-IP Next Central Manager user interface.
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.
If you have not created any inspection service before, click Start Creating or click + Create if you already have some inspection services and want to create more inspection services.
In the Inspection Service drop-down list, select HTTP Transparent Inline.
Click Start Creating.
Specify General Properties for the policy.
For Name, enter a name for the HTTP Transparent Inline Service.
For Description, add a description for the service, if required.
For Device Monitor, specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them.
For Service Down Action, specify the action to be taken when a destination device associated with the service becomes unavailable or goes down. - Ignore: Skips forwarding traffic to the down service and forwards traffic to the next service in the chain. - Drop: Stops forwarding traffic to the affected service. - Reset: Resets the connection to the client.
For SNAT, select whether you want to use a SNAT Pool or SNAT Auto Map to translate addresses. SNAT Auto Map uses a BIG-IP Next Self IP address to replace each client source-IP address. With SNAT Auto Map you do not have to define a pool of distinct host addresses for SNAT to use. Unless your traffic volume is small, you should define SNAT addresses instead of using SNAT Auto Map.
For Remap Port, specify the port to which you want to remap the traffic.
Toggle the iRules radio button in the Additional Features section, if you want to include iRules for creating the service. The iRules tab will be added to the left pane.
Specify Network settings for the policy.
In the To: VLAN section,
For VLAN, Specify the L1 network VLAN Name* created during BIG-IP Next Onboarding for entry of traffic. Entry refers to the traffic that leaves BIG-IP Next and enters the inspection device.
Note: Do not use the same To: VLAN for more than one inspection service.
For Inspection Service Endpoint, specify the server address that BIG-IP will send traffic to.
In the From: VLAN section,
For VLAN, Specify the L1 network VLAN Name* created during BIG-IP Next Onboarding for return of traffic. Return refers to the traffic that the device sends back to BIG-IP Next.
For Inspection Service Endpoint, specify the server address that BIG-IP will receive traffic from.
Optional: In the iRules tab,
Click Start Adding.
Select the required iRules from the drop-down list.
Click Add to List.
Click Save & Continue.
Select Review & Deploy to deploy the configuration.
Verify the details in the Summary section and click Start Adding.
Select the BIG-IP Next Instances to which you want to deploy the service.
Note: Ensure to add a BIG-IP Next instance to Central Manager before you can deploy your changes to the Instance.
Click Add to List.
Note: While adding instances to which you want to deploy the inspection service, the instances that do not have SSL Orchestrator provisioned are also listed in Start Adding drop-down. These instances are disabled and can be selected only when you provision SSL Orchestrator on that BIG-IP Next instance.
You can select each instance to which you want to deploy the inspection service and click Validate. It will validate whether the VLAN configured for this Inspection Service exists on the Instance and display the relevant status.
If you want to modify the network configuration for an instance or if the VLAN configured for this Inspection Service does not exist on the instances added, you can create VLANs or modify the netowrk configuration on the instances using the respective Configure icon. To modify the network configuration of an instance:
Click the Configure icon. The Network page appears.
In the To: VLAN section, select an available VLAN or click + Create Vlan to create a new VLAN.
Click the L1 networks tab. Skip this step if you want to use an existing L1 network.
Click +Create to create a new L1 Network.
Enter a network name and interface name for the L1 network and the number of VLANs associated.
Click Save.
Click the VLANs tab.
Click +Create to create a new VLAN.
Enter the VLAN names that you added at step 11 or enter a new VLAN name.
Enter a tag and select the L1 Network from the dropdown.
Note: You can also use an exisiting L1 Network without creating a new L1 Network.
Click the Addresses field or Click IP Addresses tab.
Click + Create.
Add IP Address and Device Name.
Select the VLAN you created.
Repeat the above steps for From: VLAN configuration.
Click Save. The VLANs are deployed on the BIG-IP Next Instance.
Note: You can also use an exisiting VLAN without creating a new VLAN.
Note: When you create and configure a new VLAN for an instance, the respective Vlan column is updated with the new VLAN name.
14.Select the Instance(s).
15.Click Deploy Changes.
16.Click Yes, Deploy to deploy to the service to the selected instances.
Configure network objects
Typically, a BIG-IP Next user configures L1-networks objects during BIG-IP Next onboarding, including VLANs and self-IPs. If any additional network configuration objects (Virtual Routing Function (VRFs)) are not available on the instance, they are auto generated when you deploy the service.
You can create a VLAN during the onboarding and specify the VLAN while configuring an inspection service in Central Manager. For more details, see Getting Started with Installation. You can also create the VLAN from Central Manager before deploying the inspection service to an instance. For more details, see How to: Configure Instance Specific Network Settings using CM APIs
Configure an HTTP Tranparent Service
For the Inline HTTP Transparent inspection service, the minimum requirements for defining are illustrated in the following examples. The resulting ID will be at .id
.
Send a POST request to the /v1/inspection-services endpoint.
POST{{CM}}/api/v1/spaces/default/security/inspection-services
For the API body, use the following example, substituting appropriate values for the service you want to create.
In the following example:
Type - For an Inline HTTP Transparent inspection service, the value of this property is set to http-transparent.
to (network)- Specify the L1 network VLAN created during BIG-IP Next Onboarding for entry of traffic.
from (network)- Specify the L1 network VLAN created during BIG-IP Next Onboarding for return of traffic.
monitor: Specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them. BIG-IP Next SSL Orchestrator currently supports only the ICMP monitor.
Basic
POST {{CM}}/api/v1/spaces/default/security/inspection-services
{ "name": "my-sslo-tproxy", "description": "My SSLO HTTP Transparent Service", "type": "http-transparent", "serviceDownAction": "ignore", "to": { "network": { "vlan": "sslo-insp-tproxy-in", "endpoints": [ { "address": "198.19.98.30:0" } ], "snat": { "snatType": "NONE" } }, "monitor": { "icmp": { "interval": 5, "timeout": 16 } } }, "from": { "network": { "vlan": "sslo-insp-tproxy-out" } } }
Curl
INSP=$(cat <<EOF { "name": "my-sslo-tproxy", "description": "My SSLO HTTP Transparent Service", "type": "http-transparent", "serviceDownAction": "ignore", "to": { "network": { "vlan": "sslo-insp-tproxy-in", "endpoints": [ { "address": "198.19.98.30:0" } ], "snat": { "snatType": "NONE" } }, "monitor": { "icmp": { "interval": 5, "timeout": 16 } } }, "from": { "network": { "vlan": "sslo-insp-tproxy-out" } } } EOF ) insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')
API Reference
Required | Attribute | Defaults | Notes |
---|---|---|---|
* | name | none | |
* | description | none | |
* | type | none | string: must be "http-transparent" |
* | serviceDownAction | none | "ignore", "drop", or "reset" |
* | to: network: vlan | none | string: vlan-name |
* | to: network: endpoints: address | none | string: ip-address:0 |
* | to: network: snat: snatType | none | "NONE", "AUTOMAP", or "POOL" |
to: network: snat: snatType: POOL | none | "addresses": [ "10.0.0.200", "10.0.0.201" ] |
|
* | monitor | "icmp": { "interval": 5, "timeout": 16 } "http" { "interval": 5, "timeout": 16, "sendString": "", "receiveString": "", "receiveDisableString": "", "username": "", "password": "" } "tcp": { "interval": 5, "timeout": 16 "sendString": "" "receiveString": "" "receiveDisableString": "" } |
|
* | from: network: vlan | string: vlan-name |
Ansible Reference
Execute with:
export CMPASS='mypassword'
ansible-playbook -i notahost, sslo-service-httptp.yaml
---
- hosts: all
connection: local
vars:
bigip_next_cm_mgmt_ip: "10.1.1.6"
bigip_next_cm_password: "{{ lookup('ansible.builtin.env', 'CMPASS') }}"
tasks:
- name: Check if BIG-IP Next Central Manager instance is available (HTTPS responding 405 on /api/login)
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: GET
status_code: 405
validate_certs: false
until: json_response.status == 405
retries: 50
delay: 30
register: json_response
- name: Authenticate to BIG-IP Next CM API
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: POST
headers:
Content-Type: application/json
body: |
{
"username": "admin",
"password": "{{ bigip_next_cm_password }}"
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: bigip_next_cm_token
retries: 30
delay: 30
- name: Set the BIG-IP Next CM token
set_fact:
bigip_next_cm_token: "{{ bigip_next_cm_token.json.access_token }}"
- name: Get BIG-IP Next ID
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/instances?filter=hostname+eq+%27bigip-next.f5labs.com%27&select=hostname,id
method: GET
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set BIG-IP Instance ID
set_fact:
bigip_id: "{{ json_response.json._embedded.devices | map(attribute='id') }}"
- name: Get BIG-IP Admin User ID
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/users?filter=username+eq+%27admin%27&select=username,id
method: GET
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set BIG-IP Admin User ID
set_fact:
admin_id: "{{ json_response.json._embedded.users[0].id }}"
- name: Create SSLO HTTP Transparent Inspection Service
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services
method: POST
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
body: |
{
"name": "my-sslo-tproxy",
"description": "My SSLO HTTP Transparent Service",
"type": "http-transparent",
"serviceDownAction": "ignore",
"to": {
"network": {
"vlan": "sslo-insp-tproxy-in",
"endpoints": [
{
"address": "198.19.98.30:0"
}
],
"snat": {
"snatType": "NONE"
}
},
"monitor": {
"icmp": {
"interval": 5,
"timeout": 16
}
},
"irules": [
{
"name": "testrule",
"version": "1",
"stage": false,
"created_by": "{{ admin_id }}"
}
]
},
"from": {
"network": {
"vlan": "sslo-insp-tproxy-out"
},
"irules": [
{
"name": "testrule",
"version": "1",
"stage": false,
"created_by": "{{ admin_id }}"
}
]
},
"remapHttpsPort": 8282
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set Inspection Service ID
set_fact:
insp_id: "{{ json_response.json.id}}"
- name: Deploy SSLO HTTP Transparent Inspection Service to BIG-IP Instance
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services/{{ insp_id }}/deployments
method: POST
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
body: |
{
"deploy-instances": {{ bigip_id }},
"undeploy-instances": []
}
body_format: json
timeout: 60
status_code: 202
validate_certs: false
register: json_response
- debug:
var: json_response
Note: To configure instance specific network settings, refer to How to: Configure Instance Specific Network Settings using CM APIs