Forum Discussion

  • PSFletchTheTek -

    Looking at the requirement given, you need to create a VIP and map backend pool to it as mentioned by PSFletchTheTek . Whatever is present on backend_pool_member/services , same will be appear on https://example.com:8443/services i.e. using F5 VIP.

    If they want only specific path i.e. /services to be available and rest else should be blocked then it can be manageble on F5 as well as backend app url config. So there's no clarity on it and need to be checked. 

    With this, you should be good.

     

     

     

     

     

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP

      I'd just like to mention that if hardening on backend can't be performed for whatever reason (let's say other servers in your network need to access your node on that same socket with other paths), you can also implement an LTM policy on your BIG-IP to check for /services path in the URL and rejecting any other client request. 

      You do need to assign an http profile to the virtual server (as well as the LTM policy of course) to achieve this. If we're talking about HTTPS traffic, you also need to import certificates on the BIG-IP unit and configure + assign a clientSSL (end eventually serverSSL too) profile/s to that same VS. 

  • Hi, 
    Do you have any current configuration or are you starting from scratch?
    For example, i would expect a virtual server setup on port 8443.
    Connected to a back end pool on port 8443 or equivlant.
    Is this already in place?

    Or i suppose a different question, could you explain your user case / expected result a little more please?

    • shadow82's avatar
      shadow82
      Icon for Cirrus rankCirrus

      It's totally new VIP that I've been asked to make.

      I'm not sure is it some lack of communication within the team that they ask for something like this (url with path) or maybe just full need

      1. https VIP listening on port 8443
      2. the first backend service will be "/services"

      But should I? Could I prepare the "/services" part on my VIP?
      When creating one, it's not possible to provide paths in URL...

      For my understanding what services under what directories - it's the backend server job, not F5, right?

      • hi shadow82,

        So, don't get hooked up on the /services thing. As Mayur_Sutare suggests if your external client users that URI it will be passed through straight through to the back end pool member. Also as Mayur_Sutare suggests, other clever stuff can be done if you want to block the root path or other paths IE / or /folder1 etc etc but thats extra config. (Still simple and quick to achieve on the f5!)

        So i'd just setup the virtual server on the 8443 port as you identied and the pool and see if it works for them.
        In the first instance as its https, i'd leave the ssl client / ssl server config off for now so it acts just as a passthrough with a SNAT and see if this works for you.

  • Hi shadow82 , 
    Till now , What I have got from you , that you want traffic Requests path " /services " to be handled by specific pool and the rest of traffic " normal without (/services) " to be handled with different pool. 

    If you want this , it’s achievable by LTM policies or irules 

    you can clarify more to help 

  • shadow82I have a couple questions that don't seem to have been answered in the rest of the comments.

    1. Should this new virtual server only work for https://example.com:8443/services, or example.com with any path, or anything coming in on this new virtual server over 8443 that is https?

    2. If you perform SSL termination at the F5 do they want the servers to receive encrypted traffic or the decrypted traffic from the F5?

    Depending on your answers you have a few options. You can perform SSL termination without encrypting before you send it to the servers and only balance traffic for specific host and/or URI fields in the host header. Without SSL termination you cannot perform anything based on the HTTP header other than passing it to the server for it to decrypt the traffic.