Forum Discussion

LanceLyons's avatar
Feb 10, 2023

Reverse Proxy Setup

Hi,  We have an internal site that serves up simple avatar images

https://services2.companyname.com/avatars/filename.jpg

this site is internal and no access from the DMZ (although we do have certain ports like 442 open from some machines to this site)

Naturally clients on the internet would not be able to get to https://services2.companyname.com/avatars/filename.jpg

However they can get to  https://services.companyname.com/avatars/filename.jpg

We have 2 F5s  (one in the DMZ serving external sites and one internal serving internal sites)

I would like to do a reverse proxy so that customers that would hit https://services.companyname.com/avatars/filename.jpg   would actually get content from https://services2.companyname.com/avatars/filename.jpg

I have setup a rewrite profile in the external F5 that services the url  (services.companyname.com/avatars) to rewrite to (services2.companyname.com/avatars)



This seems to work when I am VPNd to my company where I would have access to services2.companyname.com.  But when I am not vpnd in, it does not work.  It rewrites to services2.companyname.com but throws the same error like it would trying to hit that url outside.

what am I missing here that would allow the content to be served?

Is this not working because my F5 in the DMZ does have access to the internal site services2.companyname.com on the port 443?



thanks
Lance

  • LanceLyons If F5 from the DMZ cannot reach the Internal F5 that would definitely be one of the issues here because of the F5 in the DMZ can't reach the content in Internal then the connection would just timeout.

  • Hi Lance,

    I would think of this in multiple steps:

    1. Ensure that your external F5 can reach the internal sites, or at least that it can reach the internal F5 where that content can be fetched from in a specific virtual server.

    2. If the client makes a request for "/avatars/filename.jpg", divert the request to an alternative pool. This can be done with an iRule. This "avatar pool" would contain either the internal servers or a VS in your internal F5.

    3. In the same iRule you'll probably have to rewrite the host and uri parts, and that must be done transparently to the client - meaning: no redirects involved in the operation.

    Good hunting!

    /Mike