For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tim_Watts_29480's avatar
Tim_Watts_29480
Icon for Nimbostratus rankNimbostratus
Oct 10, 2016

F5 - is it just a reverse proxy (as far as fronting 100 webservers)

Hi,   I have someone trying to sell me the virtues of F5 loadbalancers, so I can present 100+ virtual servers running webservers on a single public (aka publically routeable) IPv4 address instead ...
application delivery
BIG-IP
security
Tim_Watts_29480's avatar
Tim_Watts_29480
Icon for Nimbostratus rankNimbostratus
Oct 10, 2016

Hi AMG,

 

Yes - that is hugely helpful - thanks for taking the time. It appears that I have understood the architecture of the F5 appliance correctly.

 

Regarding SSL - I use TLS/SNI with apache and nginx so we can bind as many certs to one IP as we like. We have 4 wildcard certs (for subdomains of our primary .ac.uk) and various single CN certs for external (.org, .eu and other) domains, as these are relatively expensive in comparison to the JISC supplied .ac.uk wildcard certs. On some sites, we don't even have correct certs as we have 2-3 people logging in to edit content and the rest of the website viewers use HTTP. It would not be viable to have the 400+ certs to cover all those edge cases, at least not until one of the free SSL issuers takes off (if ever).

 

The real show stopper is the fact that the rest of apache and linux lose sight of the true client IP for the "Allow from" and fail2ban operations - at least without a lot of work to re-implement the logic in the F5, assuming it can.

 

Not its fault - we are looking at migrating hosting for 200 VMWare VMs, 100 of which are web front ends (one per academic project typically) - and there's a lot of legacy systems.

 

Anyway - I think I have enough info to work with now.

 

Thanks again :)

 

Tim