BIGIP as Reverse Proxy

Question

Hi all&nbsp;
Im trying to configure a virtual server to act as a reverse proxy so I can replace a TMG.
It would proxy for some internal sites.&nbsp;
The goal is the following:&nbsp;
External Name: publicdomain.net
Internal Name internaldomain.lan&nbsp;
-- https://publicdomain.net --&gt; BIGIP --&gt; https_or_http://internaldomain.lan --&gt; WEBSERVER&nbsp;
I have followed this article:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-4-0/21.html&nbsp;
I have configured a virtual server:
- listening port 443
- no default pool
- SNAT with automap enabled (to act as proxy, logically)
- a client SSL profile (to make the client connect to the proxy via HTTPS)
- a server SSL profile (to allow the BIGIP connect to the internal server via HTTPS - is this correct??)&nbsp;
But i have the following doubts:
- How can i make BIGIP connect via HTTP instead of HTTPS to the internal webserver?
- Is it neccesary the server SSL profile to make BIGIP connect via HTTPS to the internal webserver? But each site of the internal webservers has a different internal certificate. Really i dont know how to get this work.&nbsp;
Hope i have explained my doubts correctly&nbsp;
Thanks!&nbsp;

andy_mcgrath · Answer

LTM Virtual Server are reverse proxies by default.Your high level setup looks correct apart from the fact you need a default pool setup unless you have another way to select a backend server like with the use of an iRule. Pool will be made up of Pool Members, a Node plus Port for the F5 to connect to.Yes you can have SSL traffic terminate to the F5 LTM and have none encrypted (HTTP) traffic on the server side without a problem. This is known as SSL Offloading. Just remove the Server SSL profile from the Virtual Server config and make sure the backend server will accept HTTP traffic.

javier_somoza_3 · Answer

Ok, seems that using the "Disable - Server SSL" in the local traffic policy list and forwarding to node "IP:80" works to disable SSL internal connections.&nbsp;
The last thing i need is performing filtering based on the client source IP/network.
I'll try to investigate it later...&nbsp;

javier_somoza_3 · Answer

Thanks AMG!
Ok, Im selecting the backend server by using a local traffic policy list based on the Host header and URL path.

But I need internal SSL traffic for some backends and non-SSL traffic for others. If I remove the SSL profile it affects all of them given that im using a single virtual server for many published webs.

andy_mcgrath · Answer

No problem, glad I can help&nbsp;

Forum Discussion

BIGIP as Reverse Proxy

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

F5 Reverse Proxy setup

Re: BigIP Report

Reverse Proxy With Basic SSO

Simple Reverse Proxy with iRules

Setup a Reverse Proxy that redirects to internal port

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS