Forum Discussion
Shivam_84461
Nimbostratus
NimbostratusUsing Apache ProxyPass Irule for reverseproxy
I am trying to replace my apache server which are currently working as reverseproxy server for one of our application. Instead of apache we want to to use F5 to do the same task.
The proxypass Irule is too big for me to understand and I am getting confused where to make changes to get the desired result. I'll quickly tell what we are doing with apache.
We have a application hosted on Salesforce but we are trying to mask the salesforce URL with the URL we want. So if the application is hosted on xyz.Salesforce.com/abc we want the users to see it like app.company.com.
Currently everything is working on apache and we are doing SSL offloading on apache only. Now things i know I need to do on f5 are,
Create a VS Create a DAtagroup with name ProxyPassVSname Create Irule (Proxypass)
Create pool and add salesforce server IP on that pool.
I did all that but I am not sure what changes on Proxypass Irule I need to make.
Let me know if you guys need more info.
I am a newbie so please help me.
Thanks Shivam
Mark_van_DCirrostratus
Hi Shivam,
You shouldn't need to make any changes to the ProxyPass irule, unless you need to configure debugging or rewriteresponse under the RULE_INIT section.
If your VS name is salesforce_vs, then your datagroup should be called: ProxyPasssalesforce_vs
So with your examples of xyz.Salesforce.com/abc and app.company.com you would need to add the following to the datagroup.
string: app.company.com/ value: xyz.salesforce.com/abc
How are you looking at configuring your SSL offloading? I would assume you will need a client ssl profile for app.company.com and a server ssl profile so that the traffic to salesforce is encrypted.
daboochmeisterCirrus
I did Apache proxypass config for years, and have used the equiv iRule, to good effect - that said, in many situations you can get by with something much simpler.
- Create your SSL offload virtual server
- Define and add to the VS a stream profile, and define your string replacements there; if you have multiple replacements, use a regexp in the "Target" field only. See: https://support.f5.com/kb/en-us/solutions/public/8000/100/sol8115.html ... this will make replacements in both your headers and content returned. For help in formatting string replacements: https://devcentral.f5.com/articles/ltm-stream-profile-multiple-replacements-regular-expressions but make sure to check the previous link i provided, because some things change in v11, and more changes in v11.4
- If you're pre-11.4, make sure to set response processing in the HTTP profile to "rechunk"
Voila. Note this works if you don't need content-specific logic concerning what string replacements to make.
Shivam_84461Hello daboochmeister, I tried this but this is not working. After attaching the stream profile to VS the page is not even replacing the url.- daboochmeisterCan you describe what you mean, that the page is not replacing the URL? Couple of possibilities - I misspoke, the stream profile only makes replacements in returned content. To replace the URLs in any returned headers (e.g. Location headers associated with redirects), you can setup a Rewrite profile. Also, the stream profile replacements only work if you virtual has an HTTP profile as well (even just the default one, "http", is fine).
- Shivam_84461Not replacing the URL means when I go to app.company.com its going to xyz.Salesforce.com..Like what a virtual server does. Just forwards the traffic to pool member. I'll try to attach both html profile and a rewrite profile.
daboochmeister_Altocumulus
I did Apache proxypass config for years, and have used the equiv iRule, to good effect - that said, in many situations you can get by with something much simpler.
- Create your SSL offload virtual server
- Define and add to the VS a stream profile, and define your string replacements there; if you have multiple replacements, use a regexp in the "Target" field only. See: https://support.f5.com/kb/en-us/solutions/public/8000/100/sol8115.html ... this will make replacements in both your headers and content returned. For help in formatting string replacements: https://devcentral.f5.com/articles/ltm-stream-profile-multiple-replacements-regular-expressions but make sure to check the previous link i provided, because some things change in v11, and more changes in v11.4
- If you're pre-11.4, make sure to set response processing in the HTTP profile to "rechunk"
Voila. Note this works if you don't need content-specific logic concerning what string replacements to make.
- Shivam_84461Hello daboochmeister, I tried this but this is not working. After attaching the stream profile to VS the page is not even replacing the url.
- daboochmeister_Can you describe what you mean, that the page is not replacing the URL? Couple of possibilities - I misspoke, the stream profile only makes replacements in returned content. To replace the URLs in any returned headers (e.g. Location headers associated with redirects), you can setup a Rewrite profile. Also, the stream profile replacements only work if you virtual has an HTTP profile as well (even just the default one, "http", is fine).
- Shivam_84461Not replacing the URL means when I go to app.company.com its going to xyz.Salesforce.com..Like what a virtual server does. Just forwards the traffic to pool member. I'll try to attach both html profile and a rewrite profile.
Hi Shivam,
Depending on how complicated your Apache rewrite configuration is, you can look into using LTM policies. The following page describes how best to use this https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-6-0/24.htmlconceptid
- Shivam_84461Hello Shain, I went through this document but it looks like no where it helps me the way I want it to work. May be I am not understanding but when I read it its not masking the URL anywhere.
mnb_63148when HTTP_REQUEST {
HTTP::header replace Host "app.company.com"}
when HTTP_RESPONSE {
HTTP::header replace Host "xyz.Salesforce.com"}
- Shivam_84461
Hello All,
Thanks for posting the responses. It was really helpful. Got it working finally..
Thanks Shivam