Forum Discussion
Migration from HAProxy to F5
- Jun 30, 2023
Hi igor_
I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.
ltm monitor http cxserver-httpchk { adaptive disabled defaults-from http interval 5 ip-dscp 0 recv none recv-disable none send "GET /Thingworx/health\r\n" time-until-up 0 timeout 16 } ltm pool cxserver-pool { members { cxserver1:8080 { address 10.0.10.10 } cxserver2:8080 { address 10.0.10.11 } } monitor cxserver-httpchk } ltm policy test-policy { controls { forwarding } requires { http } rules { cxserver-match { actions { 0 { forward select pool cxserver-pool } } conditions { 0 { http-uri values { /Thingworx/WS } } } ordinal 1 } } status published strategy first-match } ltm policy http-to-https { controls { forwarding } requires { http tcp } rules { redirect { actions { 0 { http-reply redirect location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri] } } conditions { 0 { tcp port values { 80 } } } } } status published strategy first-match } ltm virtual testapp-vip { destination 10.1.1.10:80 ip-protocol tcp mask 255.255.255.255 policies { http-to-https { } } profiles { http { } tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm virtual testappssl-vip { destination 10.1.1.10:443 ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } policies { test-policy { } } profiles { clientssl { context clientside } http { } tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }
high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):
Monitors for the pools
Pools for each of your backend servers
Cookie profiles if you want them to be named specifically
SSL profile for your front-end
LTM policy for redirecting from http->https
LTM policy for traffic matching, forwarding, and logging
Virtual server for port 80
Virtual server for port 443
Maybe you will only need an iRule to log the cookie:
https://clouddocs.f5.com/api/irules/HTTP__cookie.html
The request logging profile can also be a nice feature:
https://my.f5.com/manage/s/article/K00847516
You can send the HTTP logs directly to a syslog or SIEM without saving them locally and the irules, F5 system or the request logging profile support HSL:
https://clouddocs.f5.com/api/irules/HSL.html
https://my.f5.com/manage/s/article/K50040950
when HTTP_REQUEST {
log local0. “JSESSIONID cookie: [HTTP::cookie value "JSESSIONID"] from source IP [IP::client_addr] ”
}
Maybe also check if One Connect will be needed as this could be enabled by default for HAProxy and you will need one connect profile for F5.
https://www.haproxy.com/blog/http-keep-alive-pipelining-multiplexing-and-connection-pooling
https://my.f5.com/manage/s/article/K91757375
For X-Forwarded options you play with the F5 HTTP profile as there is no need for irule or local traffic policies
https://my.f5.com/manage/s/article/K43444200
https://my.f5.com/manage/s/article/K4816
- JRahmJun 30, 2023Admin
Nikoolayy1 Good call on one connect, forgot that. It is considered a misconfiguration on http without it.
igor_ iRules are totally acceptable, but it is best to do as much as you can without them, and sometimes an apples to apples configuration might require it, whereas a review of requirements for each app you're migrating might present an opportunity to make some changes that a) keep the config and therefore all the logic in native tmm objects and b) prep the config for easy automation when ready.
- Nikoolayy1Jul 01, 2023MVP
For the cookie logging need I think the irule is better than the local traffic policy with a log action and tcl substitution like "tcl:[HTTP::cookie value "JSESSIONID"]". I don't renember if the request logging profile also logged the HTTP cookies and their values.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com