Forum Discussion
reverse proxy
Hi All,
We are going to use BIG-IP mainly as a reverse proxy.
A test scenario (see attached drawing) is that a user on Internet (client side) will access 2 web services running on 2 internal servers (server-001 and server-002). Depending on URL the user is executing it should be served different web services:
https://test.com/ - web service
https://test.com/sales - web service
I hope some of you could give some tips for what is the right way to implement it. I wondered if that would work:
- create virtual server with our company SSL Profile on client side and default 'serverssl' on server side
- that virtual server is assigned a pool of 2 nodes: server-001 and server-002
- that virtual server is assigned 'rewrite profile' for URI translation as followed:
Is it a proper way of setting up the reverse proxy for our need? Or maybe am I approaching it totally wrong? Are iRules or other features of BIG-IP a better option here?
Any hint will be much appreciated. Thanks!
- Srini_87152Cirrostratus
Hi,
You can do via irule but what is the case if node1 down? Will node2 serve the request? Or you want alwys goes node1 and fail request if node2 not available?
Thx Srini
- mc_344761Nimbostratus
Hi Srini,
node 1 (server-001) is for request 1 (https://test.com/) and node-2 (server-002) is for request 2 (https://test.com/sale).
node 1 and node 2 are not redundant to each other meaning if node 2 is down then the request 2 won't work and vice versa. Is it ok to have them in the same pool then - im just thinking loudly...
rewrite profile won't work here?
Thanks
- Srini_87152Cirrostratus
hi,
you can create two pools, pool_pool1 with node1 server and pool_pool2 with node 2 server. Assign default pool with pool_pool1 at vip level and create following irule assign to vip
So any traffic coming on https://test.com/ it connect to pool_pool1 and /slae will connect to pool_pool2
Thx
Srini
=========================================================
when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/sale" { pool pool_pool2 } default { drop } } }
=========================================
- mc_344761Nimbostratus
Thanks again Srini,
As you pointed, I have now created 2 pools (one pool for each server).
Tried both suggested by you iRule (I must refresh my coding knowledge :)) and other solution based on policy and rewrite profile (see furhter down). None of them worked out yet but im still testing.
And still some issues:
-
request from internet to VS comes as https://test.com
- Client SSL profile was created and linked to VS on Client side
-
request from VS to server must have a format of test.exe (including test.exe part)
- so I believe my iRule will have to include that change in URL (in addition to redirecting traffic to a proper pool) - or is there other way of fixing it? should I mix with rewrite profile or better include everything in the iRule?
-
in addition https between VS and server is using another SSL profile (other certificate)
- when I tested it towards only one pool I managed to access a webpage but it was presented as a simple text - looks like there are some issues With java scripts... Wonder if it could have anything to do with the fact of using different SSL profiles on client and server side
I found this article about setting up BIG-IP as a reverse proxy with use of policy and rewrite profile:
Using rewrite profile takes care of URL change and a policy of redirecting traffic to a proper pool. I tested it but policy didn't work for me - all requests are forwardedd to the same pool :/
Anyway - appreciate your help. Do you know if using 2 SSL profiles (with different certificates) for internal and external side of BIG-IP might be a problem in my case?
Thanks again
mc
-
request from internet to VS comes as https://test.com
- Srini_87152Cirrostratus
My bad,i was missed test.exe .. 2 SSL profile [bridging] should fine.
Thx
Srini
- mc_344761Nimbostratus
Thanks for your help and sorry late response. At the end I set 1 VS without any pool defined in resources. REWRITE profile linked to that VS rewrites URL links accordingly. POLICY redirects https requests to the right pools based in requesting URI.
michal
- Amresh008Nimbostratus
Hi Michal,
I would suggest you to start the config without the SSL, as when non-ssl set up works, the ssl soon would. You should first be able to get the incoming traffic hit your servers. As you are dealing with different interfaces (WAN side and LAN side) with diff range of IP addresses, it would require routing or Natting for the traffic to pass your load balancer and you would also require config for reverse route.rest of the config is easy :-)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com