Vilem_96451
Apr 18, 2011Nimbostratus
HTTP full transparent proxy balancing
I need to set up load balancing between more HTTP proxy servers in full transparent mode - typically only client is not aware of the proxy server, but I need full transparency, which means that also web-server is not aware of the proxy server (it sees client’s IP address as source instead of proxy server IP).
I have checked F5 forums and docs and only idea which I have so far is:
1. Clients send request to internet site with destination IP the real internet IP of the site Routing make sure is forwarded to F5.
2. F5 has a wildcard virtual server running on any IP and on port 80 which gets the request and forwards it to one of the proxy servers (e.g. round robin balancing)
3. Proxy server sends the request to internet site and adds a HTTP header with the name X-Forwarded-for which has as a value the IP of client
4. F5 receives the request from proxy server because it has a default gateway the F5
5. The request from the proxy server is processed by a virtual server and more specifically by an iRule on F5 which looks at the value of the X-Forwarded-for header and performs SNAT on the request from proxy to internet.
6. The internet site will see as a SRC IP the IP of the client and not the IP of the proxy server or F5.
7. The routing make sure that the response traffic from the internet site will go back to F5 which will forward the response to proxy server.
As the load balancer will be used F5 Big-IP 6900 (OS version 10.2.0). Current network topology is as follows (but it can be changed as needed):
Client --- F5 --- Internet
|
Proxy servers
I would like kindly ask you to review my solution and confirm that it is feasible or propose any other option how to achieve full transparency with F5 features/functionality? Preferably without necessity of using X-forwarded-for header enrichment.
Just one option to think about. The proxy server can act as full transparent proxy itself, so it can send HTTP requests to the internet already with client’s IP instead of its own IP. But in this case I have no idea how to instruct F5 box to forward incoming HTTP responses to the correct proxy server (correct = previously selected by load balancing algorithm). Any clue?
Thanks in advance.