Forum Discussion

igor_'s avatar
igor_
Icon for Cirrus rankCirrus
Jun 29, 2023

Migration from HAProxy to F5

Hi all, I have a conundrum of sorts. We are currently in the process of evaluating how to migrate from HAProxy reverse proxy and load balancer to F5. I have a couple of questions for someone who h...
  • JRahm's avatar
    Jun 30, 2023

    Hi igor_ 

    I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.

     

    ltm monitor http cxserver-httpchk {
        adaptive disabled
        defaults-from http
        interval 5
        ip-dscp 0
        recv none
        recv-disable none
        send "GET /Thingworx/health\r\n"
        time-until-up 0
        timeout 16
    }
    
    ltm pool cxserver-pool {
        members {
            cxserver1:8080 {
                address 10.0.10.10
            }
            cxserver2:8080 {
                address 10.0.10.11
            }
        }
        monitor cxserver-httpchk
    }
    
    ltm policy test-policy {
        controls { forwarding }
        requires { http }
        rules {
            cxserver-match {
                actions {
                    0 {
                        forward
                        select
                        pool cxserver-pool
                    }
                }
                conditions {
                    0 {
                        http-uri
                        values { /Thingworx/WS }
                    }
                }
                ordinal 1
            }
        }
        status published
        strategy first-match
    }
    
    ltm policy http-to-https {
        controls { forwarding }
        requires { http tcp }
        rules {
            redirect {
                actions {
                    0 {
                        http-reply
                        redirect
                        location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri]
                    }
                }
                conditions {
                    0 {
                        tcp
                        port
                        values { 80 }
                    }
                }
            }
        }
        status published
        strategy first-match
    }
    
    ltm virtual testapp-vip {
        destination 10.1.1.10:80
        ip-protocol tcp
        mask 255.255.255.255
        policies {
            http-to-https { }
        }
        profiles {
            http { }
            tcp { }
        }
        serverssl-use-sni disabled
        source 0.0.0.0/0
        translate-address enabled
        translate-port enabled
    }
    ltm virtual testappssl-vip {
        destination 10.1.1.10:443
        ip-protocol tcp
        mask 255.255.255.255
        persist {
            cookie {
                default yes
            }
        }
        policies {
            test-policy { }
        }
        profiles {
            clientssl {
                context clientside
            }
            http { }
            tcp { }
        }
        serverssl-use-sni disabled
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
    }

     

    high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):

    Monitors for the pools
    Pools for each of your backend servers
    Cookie profiles if you want them to be named specifically
    SSL profile for your front-end
    LTM policy for redirecting from http->https
    LTM policy for traffic matching, forwarding, and logging 
    Virtual server for port 80
    Virtual server for port 443