How to: Configure the Forward Proxy using BIG-IP Next Central Manager

Overview

The document descibes the steps to enable or disable the HTTP or HTTPS proxy in BIG-IP Next Central Manager.

Procedures

Configure the Proxy in BIG-IP Next Central Manager

  1. Log in to BIG-IP Next Central Manager as admin.

    • In the left-hand navigation menu, click the Workspace icon located next to the F5 icon.

    • Go to System > CM Maintenance and click Properties.

    • The Properties screen will appear on the right side.

  2. Access Proxy Settings:

    • Click Manage.

    • In the left-hand navigation menu, select the Proxy option.

    • A new screen will appear where you can enable and configure the proxy settings.

  3. Enable and Configure Proxy:

    • Toggle the Enable Proxy radio button to turn on the proxy feature then click Configure Proxy.

    Notes: The Configure Proxy option will be enabled after you activate the Enable Proxy button.

    • To enable the proxy, click Yes, Enable Proxy and proceed with configuring the proxy settings.

  4. Enter Proxy Details:

    • In the IP Address or FQDN field, enter the IP address or Fully Qualified Domain Name (FQDN).

    • In the Port field, enter the port number.

    • In the Protocol field, select HTTP or HTTPS (recommended).

    • HTTP: No certificate is required.

    • HTTPS: Choosing a certificate from the dropdown is mandatory.

      • Add a Certificate:

        • If adding a certificate for the first time, click + Add Certificates.

        • You will be redirected to a new screen to import the certificates.

        • Click + Add at the top right corner of the screen.

      • Import Certificate:

        • Select Import a Certificate.

        • In the Name field, choose Create New and enter the certificate name.

        • In the Tag dropdown, select a tag to define the type of traffic the certificate will support. Make sure to choose Forward Proxy.

        • In the Type field, select Certificate.

      • Source Selection:

        • From the Source field, choose one of the import options:

        • Import: Click Import, navigate to the location where the certificate is stored, and select it.

        • Paste: Copy and paste the certificate content into the provided fields.

      • Click Save to add the imported certificate.

  5. Enable Authentication:

    • Check the box for Enable Authentication.

    • Enter the Username and Password.

    • Click Test Proxy Connection.

    • A success message will appear if the proxy connection is successful.

  6. Save Configuration:

    • Click Save.

    • The Proxy screen will appear in the settings you configured.

  7. Verify and Finalize:

    • Review the IP Address, Port, and Protocol settings.

    • Click Test to verify the connection. If changes are necessary, click Edit.

    • If the connection is successful, a success message will appear.

    • Click Save Proxy to finalize the configuration.

    • A success message will appear Proxy Created Successfully.

Disable the Proxy in BIG-IP Next Central Manager

  1. Log in to BIG-IP Next Central Manager as admin.

  2. Navigate to the Properties screen:

    • In the left-hand navigation menu, click the Workspace icon located next to the F5 icon.

    • Go to System > CM Maintenance and click Properties.

    • The Properties screen will appear on the right side.

  3. Access Proxy Settings:

    • Click Manage.

    • In the left-hand navigation menu, select the Proxy option.

    • A new screen will appear where you can enable and configure the proxy settings.

  4. Disable Proxy:

    • Toggle the Enable Proxy radio button to disable the proxy feature.

    • A confirmation window will prompt you with the message: “Do you want to disable the Proxy?” Or “Do you want to continue?”

    • To continue, click Yes, Disable Proxy. A success message will appear: Proxy Disabled Successfully.

Steps to Configure Proxy settings for K3s

When enabling ZTNA, the BIG-IP Next Central Manager connects to the XC container registry. If a forward proxy is present, k3s must be configured with the proxy settings.

  1. Create a new file at /etc/default/k3s with the following content:

     CONTAINERD_HTTP_PROXY=http://your-proxy.example.com:8888
     CONTAINERD_HTTPS_PROXY=http://your-proxy.example.com:8888
     CONTAINERD_NO_PROXY=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    

    Refere to the K3s advanced configuration for more details.

  2. Restart the K3s service to apply the new configuration.

  3. Verify the configuration by deploying with kubectl commands.

    Note: Ensure the CONTAINERD_NO_PROXY setting is updated according to your K3s environment.

Steps for finding “CONTAINERD_NO_PROXY” value

In complex K3s environments, correctly configuring NO_PROXY is critical to ensure that internal traffic bypasses the proxy while external traffic is properly routed. Here’s a structured approach to determine the appropriate NO_PROXY settings:

  • Localhost and Loopback Addresses:

    • localhost

    • 127.0.0.1

    • ::1 (IPv6)

  • Pod and Service CIDR Ranges: These are the IP ranges assigned to pods and services within the clust

    kubectl cluster-info dump | grep -m 1 -E --color=never 'cluster-cidr|service-cluster-ip-range'
    
  • Node IP Addresses: Obtain the IP addresses of all nodes in the cluster using the command:

    kubectl get nodes -o jsonpath='{range .items[*]}{.status.addresses[?(@.type=="InternalIP")].address}{"\n"}{end}
    
  • Cluster Domain Suffix: Typically, Kubernetes clusters use a default domain suffix like .cluster.local. This can be verified in the cluster DNS settings.

Prerequisite

Authenticate with the BIG-IP Next Central Manager API. For details refer to How to: Authenticate with the BIG-IP Next Central Manager API.

Procedures

Use the following APIs to enable/disable proxy using BIG-IP Next APIs:

  1. Import the certificate by using the POST request to spaces/default/certificates/import endpoint.

    POST  https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates/import
    

    For the request payload, use the following example and substitute appropriate values as required.

    "name": "testProxyCert",
        "cert_text": "-----BEGIN CERTIFICATE-----\nMIIDkzCCAnugAwIBAgIUZ+oVJ4HE1GO/LzOMeOR2uJQyzYwwDQYJKoZIhvcNAQEL\nBQAwWTELMAkGA1UEBhMCSU4xEjAQBgNVBAgMCVRFTEFOR0FOQTEMMAoGA1UEBwwD\nSFlEMREwDwYDVQQKDAhGNSwgSW5jLjEVMBMGA1UEAwwMQ1BDTCBSb290IENBMB4X\nDTIzMDYwNzEzMzM0NloXDTI4MTEyNzEzMzM0NlowWTELMAkGA1UEBhMCSU4xEjAQ\nBgNVBAgMCVRFTEFOR0FOQTEMMAoGA1UEBwwDSFlEMREwDwYDVQQKDAhGNSwgSW5j\nLjEVMBMGA1UEAwwMQ1BDTCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAmYg8wKCxLf2NRzzdlrcAJ8aSDYYyM7FZJMa4lwYjITNXb+y2lob1\ngLkbS6knqFSZKCGeFWgZFLkpA//ESSZALa+kP2KFMMLRmgxpoOP2FowCMFk/vtmA\nWc+uZahckRCKidwbltBX++uwgcatvh5hfCq91sP9qop+tunfyxBe3KfmOh4aX+q/\nvKSIyzv5gIFXrH2l9SCoMGN5hR1IHS4SAD5EDYs1cDxGH5z3m2hc8n5fInHUlRFr\nGmzgB1DeE8DxKo1tzWZQXCQYrhy+3k6niobA4JQTg4wvFt6sGFhzQyWj/ktR8rG1\nmIxznSUmvAIHINMh0MTVFfLrn+WUsyU0zwIDAQABo1MwUTAdBgNVHQ4EFgQU3Gyx\nvq1DFQBHgISE+tHpQaagR8IwHwYDVR0jBBgwFoAU3Gyxvq1DFQBHgISE+tHpQaag\nR8IwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAbOtf20GzEFBP\nzoUFK8jsiExwBl00UCMFbpbt2v831j9u6ZTmgj2hRKOh8AgwdM2e5zC0ceKbDwTu\nBEmFRFM/zb2HqqsWDEoQRKENq/XNMhr/RlPiDr+A56Rcrlt/h0q4B/frSE69JnzJ\n5gE4Oy8J7p6Ann8lD+pOAC196asYbO7yrfOqvx7uww3esiEHG/V+g7bPS1yDaV/7\nrv7sL4TTMMRjcYd4KeMyAmC9/Z9bILY3bvkNT+YXHRlfmHROPezVydhZU8dri9oY\n97d4lde/NlWzwnCae3jNE0kbU2Imfk6wEmtltZ7csbIARuURwlp4bqGb+qe7SazQ\nQvkHkS/aXw==\n-----END CERTIFICATE-----",
        "source": "ForwardProxy"
    }
    

    For more information about importing certificates by using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  2. Retrieve the certificate details with forward proxy by sending the GET request to /spaces/default/certificates?filter=source eq 'ForwardProxy' endpoint.

    GET  https://{{cm_mgmt_ip}}/api/v1/spaces/default/certificates?filter=source eq 'ForwardProxy'
    
  3. Retrieve the configuration of all forward proxies by sending the GET request to /system/forward-proxy endpoint.
    Identify the proxy id from the response.

    GET  https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy
    

    For more information about retrieving the forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  4. Create forward proxy configuration to system by sending the POST request to /system/forward-proxyendpoint.

    POST  https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy
    

    For the request payload, use the following example and substitute appropriate values as required.

    {
        "auth_required": true,
        "enabled": true,
        "host": "xxx.xxx.xxx.xxx",
        "id": "2422a577-5430-11ef-8dc3-8ea6fa37c07e",
        "password": "",
        "port": 3127,
        "protocol": "HTTP",
        "root_cert_id": "00000000-0000-0000-0000-000000000000",
        "username": "user"
    }
    

    For more information about creating the forward proxies configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  5. Update the information of a forward proxy by sending the PUT request to system/forward-proxy/{id} endpoint.
    Replace the id with the proxy id from the step 3 response.

    PUT https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy/{id}
    

    For the request payload, use the following example and substitute appropriate values as required.

    {
        "auth_required": true,
        "enabled": true,
        "host": "xxx.xxx.xxx.xxx",
        "id": "2422a577-5430-11ef-8dc3-8ea6fa37c07e",
        "password": "",
        "port": 3127,
        "protocol": "HTTP",
        "root_cert_id": "00000000-0000-0000-0000-000000000000",
        "username": "user"
    }
    

    For more information about updating the forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  6. Test the forward proxy configuration by sending the POST request to system/forward-proxy/test endpoint.

    POST https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy/test
    

    For the request payload, use the following example and substitute appropriate values as required.

    {
        "auth_required": true,
        "enabled": true,
        "host": "xxx.xxx.xxx.xxx",
        "id": "2422a577-5430-11ef-8dc3-8ea6fa37c07e",
        "password": "",
        "port": 3127,
        "protocol": "HTTP",
        "root_cert_id": "00000000-0000-0000-0000-000000000000",
        "username": "user"
    }
    

    For more information about testing the forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.

  7. Test a forward proxy configuration with the given endpoint by sending the POST request to system/forward-proxy/{id}/test-connection endpoint.

    POST https://{{cm_mgmt_ip}}/api/v1/system/forward-proxy/{id}/test-connection
    

    For the request payload, use the following example and substitute appropriate values as required.

    {
        "endpoint": "http: //google.com"
    }
    

    For more information about testing the specific forward proxy configuration using BIG-IP Next Central Manager APIs, see OpenAPI documentation.