Forum Discussion

mohammadhuq's avatar
mohammadhuq
Icon for Nimbostratus rankNimbostratus
Sep 19, 2022

How to configure F5 as a reverse proxy

Hi All,

I am pretty much new in F5 LTM. Currently I am working in a project where client wants to deploy F5 as a reverse proxy. It is band new F5 and has to configure anything till yet. Client has two application servers which are hosted inside their network. Currently they are accessing the application internally. Now they want to access the application from internet. Also note that two application servers are providing different service and IP address of these two servers are different. In this case, F5 will not perform any load balancing among the two servers. As for example, public URL is https://abc.com/sales will map to server 1 and https://abc.com/marketing will map to server 2. If I follow the below F5 documentation, it will work or do i need to configure iRule.

https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-local-traffic-manager-implementations-14-0-0/configuring-the-big-ip-system-as-a-reverse-proxy-server.html#GUID-5143C049-B896-4410-B3D2-4A16538A0610

Here is the IP address planning:

External IP : public IP address

Internal IP : private IP address

Management IP : private IP address.

Also the above F5 documentation for HTTP traffic but in my case it is HTTPS. How do I configure it for HTTPS? Also please suggest me if there is any other method to deploy this solution?

Thanks.

Regards,

Mohammad 

application delivery
security

4 Replies

Sort By
  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Sep 19, 2022

    Hi mohammadhuq ,

    First, as your external site will be running on https, you need to do SSL offloading on the F5 vServer. For this, you need to have CA signed certificate for your FQDN i.e. abc.com and you need to configure client ssl profile which will have this certificate & it’s associated key and at the end, this client-ssl profile will be mapped to the vServer.

    With this, all the incoming requests from the client to the F5 will be encrypted. F5 vServer will decrypt it and then forward request to the backend app servers. 

    For redirecting requests based on the URI, you can achieve this requirement using iRule as well as LTM policies.

    Below is one sample iRule which is for your use case.

     

    when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/sales" }{
    pool pool-sales
  } elseif { [HTTP::uri] starts_with "/marketing" }{
    pool pool-marketing
  } 
}

     There are some other important settings on the vServer that you need to consider.

    1. SNAT settings 

    2. SSL Profiles

    Hope it helps!

    • mohammadhuq's avatar
      mohammadhuq
      Icon for Nimbostratus rankNimbostratus
      Sep 21, 2022

      Hi Mayur, 

      Thanks for your help. If my vServer is HTTPS and my backend server is HTTP, will it work? For this do I need to create any policy for redirect?
      Another question, if backend server is HTTPS and if client wants to do encrypt the traffic F5 to backend server, then I think we need to create SSL profile for server. In this case can we use generic server SSL profile which is by default available in F5 or we need to create SSL profile like client SSL profile.

      Thanks.

      Regards,

      Mohammad

  • Mohamed_Salah_'s avatar
    Mohamed_Salah_
    Icon for MVP rankMVP
    Sep 20, 2022

    Hello Mohammed,

    Rewrite profile is not mandatory when passing the traffic through the F5. you can just create LTM objects as you mentioned Node, Pool, and virtual server for each application. Then, make the required change on the hop before the the F5. (for example make a destination NAT on the firewall before that F5 to forward traffic to the virtual server IPs).

    And as mayur mentioned, don't forget to make a source address translation in the virtual server settings to avoid any assymetric routing issues.

    Everything should work smoothly even if you didn't make any SSL offloading. but in case you will need to make any conditions on the URIs or modifying any HTTP headers or assigning an ASM security policy, you will need to use client SSL and import both certificate and key on F5.

  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Oct 03, 2022

    Hi mohammadhuq 

    If you want to decrypt traffic on the F5 vServer then you need to configure SSL profiles on the vServer.

    In case, if your vServer is on https and backend server is running non-secured port ( e.g. http) then you need to configure only client ssl profile.

    In case your vServer as well as backend server is running on secured port e.g. 443, then you need to configure client as well as server ssl profile so vServer can decrypt & encrypt both side connection flows.

    To know about SSL profiles, please refer below articles.

    Client SSL Profile 

    Server SSL Profile 

     

    Hope it helps!