For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

slowpoke115_145's avatar
slowpoke115_145
Icon for Nimbostratus rankNimbostratus
Apr 14, 2014

Configuring a reverse proxy with uri rewrites

I've been tasked with converting several hundred lines of apache config (which does some url rewrites and some reverse proxying); to function on an F5 LTM. Is there a simple way of doing this or will I need to create iRules for each individual line? Example config below:

ProxyPassMatch (?i)^/test(.*)$ http://10.0.0.1/test/$1

I have this around 100 times in various forms... Currently there are around 50 CNAMES (with a VIP bound to them) and the existing apache servers use reverse proxy to forward the requests to the correct internal servers (in this example 10.0.0.1). Obviously any issues with the reverse proxies means a complete outage.

My big concern is my inexperience with iRules, whether this is possible with an LTM (not much mention of CNAMES), the most suitable way to implement this without taking the existing reverse proxies offline (obviously at some point the LTM's will take over) and the mass of configuration I'm expecting.

Any help at all, greatly appreciated 🙂

application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
LTM
security

5 Replies

  • travis99_94012's avatar
    travis99_94012
    Icon for Cirrus rankCirrus
    Apr 14, 2014

    I'm currently using Policies to accomplish this (local traffic - policies - policy list, for 11.4.x). Multiple URLs for the same VIP all pointing to their respective pools. No iRules needed.

     

    • slowpoke115_145's avatar
      slowpoke115_145
      Icon for Nimbostratus rankNimbostratus
      Apr 14, 2014
      That's actually pretty cool, although I'm not sure it would work for all my rules; I'll test tomorrow and keep you posted.
    • slowpoke115_145's avatar
      slowpoke115_145
      Icon for Nimbostratus rankNimbostratus
      Apr 15, 2014
      Thanks, that's pretty useful. I'm a bit cautious of using proxypass given that it's not supported by F5; I'm concerned an update may render it useless. I maybe able to use policies at this point and achieve the same thing, this is obviously heavily dependent on the rule complexity...
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Apr 16, 2014

    We had the same worries as yours. We have opted for a mixed approach: Have a pool of servers running Apache just doing reverse proxy and URL rewriting/redirecting only. This is lightweight, easy to manage (using rsync to sync conf across the Apache servers for each update), and future-proof, and you get the best of both worlds.