For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ushan's avatar
ushan
Icon for Altocumulus rankAltocumulus
Sep 20, 2022

Multiple application in single server

I have a server which hosts multiple applications, like; example1.max.com, example2.max.com, example3.max.com and so on. I have only one server so I could make only one Node in F5 and all the appli...
application delivery
PSFletchTheTek's avatar
PSFletchTheTek
Icon for Cumulonimbus rankCumulonimbus
Sep 20, 2022

Hi,

So what i'd do, is a setup called VIP targeting VIP. Basically its like layer 7 nat! (google f5 vip targeting vip for a youtube video)
So one Virtual server on the front with a IP/VIP. Where traffic that is on the network,
(It doesn't need a pool)
Then setup as many virtual servers as you want for each server so something like

example1-VS
example3-VS
example3-VS
all configured normally with pools and every as per normal. Making sure you set a HTTP profile so the f5 understands the HTTP header!

Then you setup a policy that has some like

If HTTP Host contains example1.max.com forward traffic to example1-VS
then 
If HTTP Host contains example2.max.com forward traffic to example2-VS
etc etc

So when traffic hits the external VS, it can read the header and then forward it the the correct virtual server,

Now where this is important is you can now assign a different ASM policy to each exampleXXX-VS you create without any issues.
You can also attach DOS and other services purely on the external IP, and keep the layer3-4 and layer7 controls independant.

If you need screenshots let me know.

Fletch

 

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 20, 2022

    VIP targeting is definitely a useful approach.

    You could also simply attach an LTM policy to the application VIP to dynamically assign the WAF policy based on HTTP Host.

    - CPM policy
    - Rule 1: HTTP Host is www.example1.max on request -> enable asm (waf_policy_a)
    - Rule 2: HTTP Host is www.example2.max on request -> enable asm (waf_policy_b)
    - Rule 3: HTTP Host is www.example3.max on request -> enable asm (waf_policy_c)
    - Rule 4: disable asm on request

     

  • ushan's avatar
    ushan
    Icon for Altocumulus rankAltocumulus
    Sep 20, 2022

    Hi PSFletchTheTek

    Yes this can definitely work. But the applications that are hosted in that single server are public applications and need to be accessed publicly.  With the solution you have provided would require Public IP for each application(Virtual Server). And I have only one public IP available for that server. So I can only make one Virtual Server in my case.

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Sep 20, 2022

      That's not what he's saying. You create a single client-facing VIP and use an LTM (CPM) policy to VIP target to the set of application VIPs that are not externally exposed. Traffic comes to the frontend VIP and LTM policy steers the traffic to one of the backend application VIPs based on HTTP Host. 

      You're only exposing one publich IP at the frontend VIP. 

      So you can use this single frontend VIP to either VIP target to backend application VIPs, or you can use the LTM policy to directly attach the WAF policy to the one frontend VIP. For the latter, you'd also need to dynamically assign the pool and (optionally) server SSL.