Forum Discussion
igor_
Cirrus
CirrusMigration from HAProxy to F5
Hi all, I have a conundrum of sorts. We are currently in the process of evaluating how to migrate from HAProxy reverse proxy and load balancer to F5. I have a couple of questions for someone who h...
Hi igor_
I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.
ltm monitor http cxserver-httpchk { adaptive disabled defaults-from http interval 5 ip-dscp 0 recv none recv-disable none send "GET /Thingworx/health\r\n" time-until-up 0 timeout 16 } ltm pool cxserver-pool { members { cxserver1:8080 { address 10.0.10.10 } cxserver2:8080 { address 10.0.10.11 } } monitor cxserver-httpchk } ltm policy test-policy { controls { forwarding } requires { http } rules { cxserver-match { actions { 0 { forward select pool cxserver-pool } } conditions { 0 { http-uri values { /Thingworx/WS } } } ordinal 1 } } status published strategy first-match } ltm policy http-to-https { controls { forwarding } requires { http tcp } rules { redirect { actions { 0 { http-reply redirect location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri] } } conditions { 0 { tcp port values { 80 } } } } } status published strategy first-match } ltm virtual testapp-vip { destination 10.1.1.10:80 ip-protocol tcp mask 255.255.255.255 policies { http-to-https { } } profiles { http { } tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm virtual testappssl-vip { destination 10.1.1.10:443 ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } policies { test-policy { } } profiles { clientssl { context clientside } http { } tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):
Monitors for the pools
Pools for each of your backend servers
Cookie profiles if you want them to be named specifically
SSL profile for your front-end
LTM policy for redirecting from http->https
LTM policy for traffic matching, forwarding, and logging
Virtual server for port 80
Virtual server for port 443
JRahm
Admin
AdminHi igor_
I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.
ltm monitor http cxserver-httpchk {
adaptive disabled
defaults-from http
interval 5
ip-dscp 0
recv none
recv-disable none
send "GET /Thingworx/health\r\n"
time-until-up 0
timeout 16
}
ltm pool cxserver-pool {
members {
cxserver1:8080 {
address 10.0.10.10
}
cxserver2:8080 {
address 10.0.10.11
}
}
monitor cxserver-httpchk
}
ltm policy test-policy {
controls { forwarding }
requires { http }
rules {
cxserver-match {
actions {
0 {
forward
select
pool cxserver-pool
}
}
conditions {
0 {
http-uri
values { /Thingworx/WS }
}
}
ordinal 1
}
}
status published
strategy first-match
}
ltm policy http-to-https {
controls { forwarding }
requires { http tcp }
rules {
redirect {
actions {
0 {
http-reply
redirect
location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}
conditions {
0 {
tcp
port
values { 80 }
}
}
}
}
status published
strategy first-match
}
ltm virtual testapp-vip {
destination 10.1.1.10:80
ip-protocol tcp
mask 255.255.255.255
policies {
http-to-https { }
}
profiles {
http { }
tcp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}
ltm virtual testappssl-vip {
destination 10.1.1.10:443
ip-protocol tcp
mask 255.255.255.255
persist {
cookie {
default yes
}
}
policies {
test-policy { }
}
profiles {
clientssl {
context clientside
}
http { }
tcp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):
Monitors for the pools
Pools for each of your backend servers
Cookie profiles if you want them to be named specifically
SSL profile for your front-end
LTM policy for redirecting from http->https
LTM policy for traffic matching, forwarding, and logging
Virtual server for port 80
Virtual server for port 443