F5 - is it just a reverse proxy (as far as fronting 100 webservers)

Tim,

I have worked in the Application Delivery space for over 10 years and F5 is by far the best system I have worked with (and I don't work directly with F5 so not a sales pitch).

The F5 systems are split into software modules doing different things but at its core is LTM which is basically a fancy Reverse Proxy which can route and/or NAT traffic (both static NAT and SNAT). However it also have a very powerful and flexible traffic manipulation features including iRules for scripting and a number of profiles, like HTTP, that can add/remove/modify traffic like adding the XFF header for HTTP traffic.

With SSL you can off load your SSL to the F5 appliances for different cert on the client side than used on the server side, this can also allow less secure SSL on the server side without compromising security on the client side without a problem.

The one thing that will stop you hosting 100+ sites on a single IP is that each SSL Cert will need a different IP, so unless everything is on the same domain and you have a Wildcard Certificate you will need more that one IP

With mod_authz_host would need more info about your setup and issues with it. If it cannot use XFF then anything using IP restrictions can be moved to the F5 with very simple iRules or if want to allow IPs without authentication for scanning and iRule to set different SNAT address based on a list (Data Group) of allow IPs.

I have not come across fail2ban before but it may be able to update the F5 appliances using iControl (F5's configuration API) to block IPs directly on the F5s.

Alternativly looking at modules like ASM (WAF), APM (remove auth and client VPN) and/or AFM (datacentre firewall) might provide you with a solution.

Hope this helps

AMG