Forum Discussion

igor_'s avatar
igor_
Icon for Cirrus rankCirrus
Jun 29, 2023

Migration from HAProxy to F5

Hi all, I have a conundrum of sorts. We are currently in the process of evaluating how to migrate from HAProxy reverse proxy and load balancer to F5. I have a couple of questions for someone who h...
devops
  • JRahm's avatar
    JRahm
    Jun 30, 2023

    Hi igor_ 

    I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.

     

    ltm monitor http cxserver-httpchk {
    adaptive disabled
    defaults-from http
    interval 5
    ip-dscp 0
    recv none
    recv-disable none
    send "GET /Thingworx/health\r\n"
    time-until-up 0
    timeout 16
}

ltm pool cxserver-pool {
    members {
        cxserver1:8080 {
            address 10.0.10.10
        }
        cxserver2:8080 {
            address 10.0.10.11
        }
    }
    monitor cxserver-httpchk
}

ltm policy test-policy {
    controls { forwarding }
    requires { http }
    rules {
        cxserver-match {
            actions {
                0 {
                    forward
                    select
                    pool cxserver-pool
                }
            }
            conditions {
                0 {
                    http-uri
                    values { /Thingworx/WS }
                }
            }
            ordinal 1
        }
    }
    status published
    strategy first-match
}

ltm policy http-to-https {
    controls { forwarding }
    requires { http tcp }
    rules {
        redirect {
            actions {
                0 {
                    http-reply
                    redirect
                    location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 80 }
                }
            }
        }
    }
    status published
    strategy first-match
}

ltm virtual testapp-vip {
    destination 10.1.1.10:80
    ip-protocol tcp
    mask 255.255.255.255
    policies {
        http-to-https { }
    }
    profiles {
        http { }
        tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm virtual testappssl-vip {
    destination 10.1.1.10:443
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    policies {
        test-policy { }
    }
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

     

    high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):

    Monitors for the pools
    Pools for each of your backend servers
    Cookie profiles if you want them to be named specifically
    SSL profile for your front-end
    LTM policy for redirecting from http->https
    LTM policy for traffic matching, forwarding, and logging 
    Virtual server for port 80
    Virtual server for port 443

igor_'s avatar
igor_
Icon for Cirrus rankCirrus
Jul 06, 2023

Guys,

Much appreciated your answers. It gave me some directions on where to go in the first place.

AlexS_yb The company is part of the PCI industry so every ms counts 😁 

Some initial feedback and some questions from my side:

I have created backend server pools.

I have created a virtual server with private ip and NAT-ed the public ip into the private one. 

The path looks like this:

Internet ----> Router -----> FIrewall (NAT) ----> F5 Virtual server IP (I will call it V1)

A question: Since the public website is https://app1.somesite.com, I have created an LTM policy using an article from this site written by Eric_Chen - SNI Routing with BIG-IP.

Now since in the backend, I have some servers which communicate over HTTP and others over HTTPS, can I mix and match protocols? Bear in mind that on the same Windows server under IIS, I have a service using HTTP on port 555, and another service using HTTPS on port 566 for example.

Under LTM Policy rules I have a lot of:

If HTTP Uri path starts with : /app1 forward traffic to pool (pool1) at request

If HTTP Uri path starts with : /app2 forward traffic to pool (pool2) at request

Now am I using this right since the traffic is encrypted until it hits the virtual server V1. From there based on condition it should be redirected to even the same pool of servers but different ports.

What I found out is that when setting the virtual server V1 if I select a certificate for SSL Profile (server) I can't connect pools that are running over HTTP and if I don't select SSL Profile (server) I can't communicate with backend pools over HTTPS. Can this be done automatically using one virtual server and combined LTM Policy rules? 

Any ideas?

Thanks,

Igor