I have a server which hosts multiple applications, like;
example1.max.com, example2.max.com, example3.max.com and so on.
I have only one server so I could make only one Node in F5 and all the applications are listening on port same port 443
So, what is the recommeded way of making ASM policy for these kind of scenario.
Minimally could assign policy based on the HTTP Host value.
So what i'd do, is a setup called VIP targeting VIP. Basically its like layer 7 nat! (google f5 vip targeting vip for a youtube video)
So one Virtual server on the front with a IP/VIP. Where traffic that is on the network,
(It doesn't need a pool)
Then setup as many virtual servers as you want for each server so something like
all configured normally with pools and every as per normal. Making sure you set a HTTP profile so the f5 understands the HTTP header!
Then you setup a policy that has some like
If HTTP Host contains example1.max.com forward traffic to example1-VS
If HTTP Host contains example2.max.com forward traffic to example2-VS
So when traffic hits the external VS, it can read the header and then forward it the the correct virtual server,
Now where this is important is you can now assign a different ASM policy to each exampleXXX-VS you create without any issues.
You can also attach DOS and other services purely on the external IP, and keep the layer3-4 and layer7 controls independant.
If you need screenshots let me know.
VIP targeting is definitely a useful approach.
You could also simply attach an LTM policy to the application VIP to dynamically assign the WAF policy based on HTTP Host.
- CPM policy - Rule 1: HTTP Host is www.example1.max on request -> enable asm (waf_policy_a) - Rule 2: HTTP Host is www.example2.max on request -> enable asm (waf_policy_b) - Rule 3: HTTP Host is www.example3.max on request -> enable asm (waf_policy_c) - Rule 4: disable asm on request
Yes this can definitely work. But the applications that are hosted in that single server are public applications and need to be accessed publicly. With the solution you have provided would require Public IP for each application(Virtual Server). And I have only one public IP available for that server. So I can only make one Virtual Server in my case.
That's not what he's saying. You create a single client-facing VIP and use an LTM (CPM) policy to VIP target to the set of application VIPs that are not externally exposed. Traffic comes to the frontend VIP and LTM policy steers the traffic to one of the backend application VIPs based on HTTP Host.
You're only exposing one publich IP at the frontend VIP.
So you can use this single frontend VIP to either VIP target to backend application VIPs, or you can use the LTM policy to directly attach the WAF policy to the one frontend VIP. For the latter, you'd also need to dynamically assign the pool and (optionally) server SSL.