F5 - is it just a reverse proxy (as far as fronting 100 webservers)

Tim,

I have worked in the Application Delivery space for over 10 years and F5 is by far the best system I have worked with (and I don't work directly with F5 so not a sales pitch).

The F5 systems are split into software modules doing different things but at its core is LTM which is basically a fancy Reverse Proxy which can route and/or NAT traffic (both static NAT and SNAT). However it also have a very powerful and flexible traffic manipulation features including iRules for scripting and a number of profiles, like HTTP, that can add/remove/modify traffic like adding the XFF header for HTTP traffic.

With SSL you can off load your SSL to the F5 appliances for different cert on the client side than used on the server side, this can also allow less secure SSL on the server side without compromising security on the client side without a problem.

The one thing that will stop you hosting 100+ sites on a single IP is that each SSL Cert will need a different IP, so unless everything is on the same domain and you have a Wildcard Certificate you will need more that one IP

With mod_authz_host would need more info about your setup and issues with it. If it cannot use XFF then anything using IP restrictions can be moved to the F5 with very simple iRules or if want to allow IPs without authentication for scanning and iRule to set different SNAT address based on a list (Data Group) of allow IPs.

I have not come across fail2ban before but it may be able to update the F5 appliances using iControl (F5's configuration API) to block IPs directly on the F5s.

Alternativly looking at modules like ASM (WAF), APM (remove auth and client VPN) and/or AFM (datacentre firewall) might provide you with a solution.

Hope this helps

AMG

Hi AMG,

Yes - that is hugely helpful - thanks for taking the time. It appears that I have understood the architecture of the F5 appliance correctly.

Regarding SSL - I use TLS/SNI with apache and nginx so we can bind as many certs to one IP as we like. We have 4 wildcard certs (for subdomains of our primary .ac.uk) and various single CN certs for external (.org, .eu and other) domains, as these are relatively expensive in comparison to the JISC supplied .ac.uk wildcard certs. On some sites, we don't even have correct certs as we have 2-3 people logging in to edit content and the rest of the website viewers use HTTP. It would not be viable to have the 400+ certs to cover all those edge cases, at least not until one of the free SSL issuers takes off (if ever).

The real show stopper is the fact that the rest of apache and linux lose sight of the true client IP for the "Allow from" and fail2ban operations - at least without a lot of work to re-implement the logic in the F5, assuming it can.

Not its fault - we are looking at migrating hosting for 200 VMWare VMs, 100 of which are web front ends (one per academic project typically) - and there's a lot of legacy systems.

Anyway - I think I have enough info to work with now.

Thanks again :)

Tim

All the above is quite simple on LTM. Which fail2ban logic would you like to a apply? I would also recommend using HSL from the F5 to your logging / Nagios solution to preserve client IP details. Also what is the mod_auth achieving? It is almost certainly replicable.

Also, just a personal observation: If you are fronting 100+ web services, I very much recommend:

1) Creating a dynamic type of origin server pool (e.g a phantom pool consisting of 100s of fallow members that can be dynamically populated)

2) A heterogeneous server arsenal (e.g a team of Ngninx Servers JUST for content that lives under /images, a team of Apache Servers for .js content, a team of Microsoft for asp[x], etc)

THESE are the type of things you can do with [only] F5, and play to it's strengths.

//Jan

Have you considered installing the "mod_extract_forwarded" Apache module to get at the addresses in XFF for mod_authz_host?

F5 is a monstrosity octopus. Does almost anything.

However, it's recommended to only pick the features you actually need. The "best license bundle" could mislead people into using all the available modules, and that would be a horrible idea outside lab scenario.

My best advice to newcomers looking to use F5 is to use 1-4 modules PER CLUSTER, never more than that. If you want to use more modules, get yourself another cluster for the extra features.

F5 is a monstrosity octopus. Does almost anything.

However, it's recommended to only pick the features you actually need. The "best license bundle" could mislead people into using all the available modules, and that would be a horrible idea outside lab scenario.

My best advice to newcomers looking to use F5 is to use 1-4 modules PER CLUSTER, never more than that. If you want to use more modules, get yourself another cluster for the extra features.