reverse proxy
19 TopicsF5 Reverse Proxy with MFA
Hi, We have a requirement to implement reverse proxy with multifactor authentication. The current network setup has a cloud WAF which forwards traffic to on-premise application LB VIP. F5 support guided me to use APM+LTM in DMZ which will act as revers proxy with mfa. But from the APM data sheets, it looks more of a SSL VPN. So I am concerned if this solution will work with SSL inspection on the Cloud WAF. Traffic flow, External user (HTTPS) >> Cloud WAF (SSL inspection, NAT) >> F5 APM + LTM (Reverse proxy + MFA + SSL offloading) >> Internal LB >> HTTP APP Servers Can anyone please guide me on this requirement.3.9KViews0likes2CommentsNGINX reverse proxy authentication module with DUO
Dears, I need to publish on-prem Tableau server so i have 2 nginx plus reverse proxies servers and DUO for SSO and MFA so How can i enable 2FA on the DMZ environmet using nginx reverse proxy? Is there is any authentication module or anything suppose to help me? Thanks BTW, Ussama1.4KViews0likes2CommentsHow to keep the internal URL in browser address bar and point to external website
Is there a way to keep internal web address all the time and point it to public URL? Let's say I have internal web address called honest2.company.com which has 10.10.2.35 and have public website hosted on Azure let's say abc123pqr456xyz789.azurewebsites.net and I create a VIP honest2_company_http VIP for 10.10.2.35; now anyone from my company access http://honest2.company.com for users the URL always remain as http://honest2.company.com but it will display content of abc123pqr456xyz789.azurewebsites.net Is it possible via iRule, forward or reverse proxy or any other way? Please give me some pointers or clue.1.2KViews0likes23CommentsWorking without trailing slash in LTM rewrite profile URI rules
Hi, I am trying to implement simple reverse proxy with load balancing based on URI path. Here is the example: F5 VIP 1 listening to main.example.com:80 - default HTTP to HTTPS redirect iRule is applied F5 VIP 2 listening to main.example.com:443 App server 1 listening to foo.example.com:443 App server 2 listening to bar.example.com:443 App server 3 listening to portal.example.com:443 Rewriting rules and load balancing rules examples: https://main.example.com -> https://portal.example.com/src/portal/ (App server 3) https://main.example.com/aa/ -> https://foo.example.com/aa/ (App server 1) https://main.example.com/bb/cc/ -> https://foo.example.com/bb/cc/ (App server 1) https://main.example.com/dd/ -> https://bar.example.com/dd/ (App server 2) https://main.example.com/dd -> https://bar.example.com/dd/ (App server 2) So basically there are 3 different back end app servers, each listening on different virtual host, and client requests should be redirected to these servers based on the URI path, while the host part of the URL must also be rewritten in all headers and whole HTML content. End user must always see only main.example.com in their browser's address field. In prior TMOS versions there was the ProxyPass iRule used for such functionality. But since my case is not too complicated and I am running 11.6, there is a way to supplement ProxyPass functionality with build in features: LTM Rewrite profile and LTM policy. I do the necessary URI rewrite in rewrite profile via URI rules and request forward in LTM policy rules. Everything works just fine, except one small annoying thing. Users want to have the option to ignore the trailing slash in URI path when calling a default resource within a directory. So for example, they want to be able to call main.example.com/dd and get the default resource from the /dd/ directory. My problem is that LTM rewrite profile does not allow me to specify URI rules without a slash at the end of URI. And without it, the whole concept does not work. Because when the user calls main.example.com/dd, F5 does not match this request to any URI rewrite rules, hence the host part stays "main" instead of being rewritten to "bar". The LTM policy actually forwards the request to correct app server because in the LTM policy I am able to declare a condition "if URI path begins with /dd". But the app server 2 does not accept request for virtual host 'main'. So I get an error. And I cannot do the URL rewrite in LTM policy. I need to rewrite all links in headers, cookies and content, so I need to use LTM rewrite profile to accomplish all that. Also something like 'main.example.com/zz' can be a legitimate request for a file called 'zz' inside the root directory of app server. So the F5 needs to be able to rewrite also requests without trailing slash and catch the HTTP redirects, rewrite them accordingly also in HTTP responses. Blindly inserting '/' at the end of each request is hence not possible. Any idea would be much appreciated! Thanks.699Views0likes1CommentUsing F5 instead of nginx for reverse proxy
Hello All, We're doing an implementation of a product and the vendor has a deployment guide for using nginx however I've been asked to convert the nginx configuration to the F5 instead. I'm not entirely familiar with nginx so I want to make sure that I understand how to do this properly based on the configuration they've given. I've taken parts of the configuration guide they've provided and attached them below as well as my interpretation of the instructions as to how the F5 will handle it. For example, a request to <>/Portal/Guest/Login.htm is sent to the backend as a request for http://<>/Guest/Login.htm. The header "Host: Portal" is added to the backend request replacing the original “Host: www.<>" header. I believe that much of this behaviour is accomplished by default on the F5. For example converting from https to http can be done with ssl offloading and a client-ssl profile. The forwarding to the internal web server name is simply the way the f5 forwards traffic to the appropriate pool I think? The part that I'm not sure how best to implement is the removing of /Portal/ from the URI and replacing the host header with Portal (there are also about 10 other applications that I will need to do this for. My initial thought is to use a Policy to match the host header and uri path and rewrite them? For example : Will this work? Or do I need to add more info to remove /Portal/ from the path in the actions section?651Views0likes3CommentsLync 2013 using iApp - Reverse Proxy Issues
Using iApp f5.microsoft_lync_server_2010_2013.v1.2.0 with a new Lync 2013 deployment. Having some problems getting internal mobile clients working. We are currently testing with the Microsoft Lync Analyzer tool as well as Ipads and a Windows 8 tablet. We have 2 F5. One is in our DMZ the other is internal. On the DMZ f5 we have set it up as the Reverse Proxy and given it an IP of 10.10.10.244. It has the cert with all the correct SANs. In the next section of the iApp it asks for the IP address of the internal side of the Reverse Proxy along with certs and we have it set up with 10.10.20.60 and the correct certs. This is where things get a little confusing for me. The instruction in the iApp ask: What is the port 443 virtual server IP address that forwards traffic to the Front End Servers? I cant telnet to 10.10.20.60 over port 443, but I think that's expected because it should be using 4443 correct? It is doing a reverse proxy from 443 to 4443. So is the wording wrong in the iApp instruction or am I reading it wrong? The error from the testing tool is: *An error occurred while sending the request. The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. * That leads me to believe that the Reverse Proxy External IP is accepting the connection, trying to send it on to its next hop, the internal IP and then failing. Possibly a cert issue so I ran tcpdump on the DMZ F5 and I see no attempt of it trying to traffic back out. Thoughts?640Views0likes26CommentsSizing BIG-UP LTM with APM module
Hi, We have below expectations on user load. How to we get initiated our sizing discussions ? Is there any sizing calculator? ~31,000 devices with ~81,000 connections That apart, what are the other considerations and parameters we should ask for sizing ? We want to use F5 mainly for reverse proxy and ActiveSync SSL authentication + Forms based authentication. Any insight much appreciated.Solved638Views0likes8CommentsMasking URL from diferent domains user autentication.
Hi guys. I appreciate your support or suggestions to solve the following scenario: We have a single website that has two login pages in different directories and that we use to authenticate two different clients, however they have asked us to mask the URL and for one of the clients the URL looks as if it were accessing from another domain . 1. Is it possible to do this URL masking? 2. What procedure should we carry out if possible? 3. Any alternative plan that can meet this requirement? We appreciate your support or ideas. Thanks!!612Views0likes7CommentsCan someone take a look and make sure I understand this right about reverse proxy
Preface: Yes I know not a whole lot but I'm trying. If someone could just take a look at this and maybe it will help me find what piece I am missing. We have an internal server that needs to be accessed on the outside, but they don't want it actually touching the internet so we run it through the BIG-IP F5 LTM. The internal IIS has an internal IP and an external IP assigned. The DNS entry is bound to the External IP address. A lot of what I setup has been copied from a currently working site that utilizes this exact same process. From my understanding the connection "route" is as follows: Internet-->ExtIP-->F5virtualIP-->IntIP The External IP gets natted on the firewall to the F5 internal IP of the virtual server, and then the F5 virtual server is linked to the actual internal server IP. We have access rules in place to allow public access to the external IP as well as the F5 IP. There are NAT rules in place that *should* point anyone going to the external IP towards the F5 address, and then through that to the internal server. There's an F5 rule in place that redirects from http to https as well. Internally, on my work PC, I can navigate to the site via it's FQDN. Externally though, I get a Not Secure Site message(we haven't gotten the cert in place yet so that is expected), but then after a while of trying to load, we receive an ERR_CONNECTION_RESET page and it can't load. I feel like there is something I am missing but I just can't think of what it is. If anyone has any ideas I will be eternally grateful. Thank you in advance.599Views0likes2CommentsNGINX Migration, Rewrite Profile: Is there another way?
We are migrating, as part of a project, a big NGINX implementation to an F5. Basically, it would assume the role of a reverse proxy. The two biggest things the NGINX does are: Translating from external hosts (www.example.com) to internal hosts (www.example.local) Load balancing between different back-end servers, depending on the URI. For the first point: There are a BUNCH of translations. We're using a rewrite profile. Sometimes, www.example.com/ translates to www.example.local/, and www.example.com/app1/ translates to www.example2.com/app1. And, on a single rewrite profile, there are, I think, more than 50 rules. Is there a better way of doing this? Should we really modify back-end servers to accept both hosts, external and internal? And, how do we deal with URI's with no trailing slash? If they have none, it won't match the rewrite rule. Should we add 301 respond to each and every URI? The second: Should we use policies or iRules? I've got to confess, we have already big iRules, separated with procs and the like. So, migrating that to policies would be a pain in the ass. EDIT: One more question: We have different client side URL, that need to be rewritten to the same server. www.example.com/app1 and www.example.com/app2 to www.example.local/. However, for some reason, rewrite profile does not allow for this. How can we achieve it?577Views0likes1Comment