Forum Discussion
dmastropolo_234
Nimbostratus
NimbostratusReverse proxy appliance integration with F5 LTM
hi,
We are scoping out an integation project that involves an f5 LTM and several reverse proxy appliances (with synchronized L7 session state). A quick overview:
We need to terminate the SSL on the LTM and then redirect the decrypted traffic from the LTM to the external appliance while retaining the destination ip address (as the virtual ip address). From what I understand this can be done through iRules. The reverse proxy will terminate the connection and send a new connection to the F5 LTM with the destination address retained as the vip address (unchanged). The F5 will loadbalance the traffic to the backend servers. The server response will be converted from the real ip to the vip and then we want the F5 to redirect the traffic back up to the appliance.
We would like the incoming client to server redirection to be symmetric with the outgoing server to client redirection using a simple cip^dip hash algo so that the incoming flow going back out the same reverse proxy appliance that it came in on. Could this be incorporated into the iRules without too much difficulty?
We would also like to use a Return to Sender type of functionality, if it exists on the F5 box as well. Redirection to the appliance in the client to server direction will be done via any loadbalancing metric, and the F5 will store the incoming mac address of the appliance that received the traffic. When the traffic returns from the server, the packet will be converted rip to vip, and then a reverse lookup on the session will get the original source mac, so that the packet can be switched out to the same appliance (on the return path).
We don't necessarily care about the client to appliance stickiness for subsequent sessions since the L7 state is syncrhonized across all of the reverse proxy appliances. We just need to guarantee that for a given flow/session, the client to server path and the server to client path go to the same reverse proxy appliance.
Are there any precanned iRules that I could take a look at that would be in line with what we would like to accomplish, mainly destination,dport and protocol client redirection using symmetric hash algo or stored source mac.?
thanks
David_RemingtonEmployee
So you are going to do:
Client https -> BigIP Virutal on port 443 (terminate ssl) -> proxy pool -> BigIP Virtual server on port 80 -> server pool
??
Most of your desires will be automatically handled (on the BigIP at least) by the auto-last-hop feature and transparent load balancing.
dmastropolo_234hi, Yes that is basically it. We would also like to try to use symmetric redirection filters as well as an alternative to the auto-last-hop feature. Also, from what I understand, the iRules will afford us some lattitude in the processing order that this is performed. Initially we want to terminate the SSL on the F5, redirect, get the return packet on port 81 and loadbalance it and then symmetrically redirect it back up to the same proxy in the pool. We might have to jumble up the order at some point, depending on other requirements.
Are there any samples of iRules for redirection (both content based url parsing and noncontent based/non-l7), where I can vary the type of hashing/metric used?
thank you- I don't believe there is an alternative to the autolasthop feature using iRules, but otherwise the flow you describe is pretty typical.
For URI parsing examples, you can check out this wiki page:
http://devcentral.f5.com/wiki/default.aspx/iRules/iRulesCommonConcepts.html (Click here)
If that doesn't give you what you need, post back with a more specific question & we'll try to help.
/deb
