Masking URL from diferent domains user autentication.
Hi guys. I appreciate your support or suggestions to solve the following scenario: We have a single website that has two login pages in different directories and that we use to authenticate two different clients, however they have asked us to mask the URL and for one of the clients the URL looks as if it were accessing from another domain . 1. Is it possible to do this URL masking? 2. What procedure should we carry out if possible? 3. Any alternative plan that can meet this requirement? We appreciate your support or ideas. Thanks!!
NGINX reverse proxy authentication module with DUO
Dears, I need to publish on-prem Tableau server so i have 2 nginx plus reverse proxies servers and DUO for SSO and MFA so How can i enable 2FA on the DMZ environmet using nginx reverse proxy? Is there is any authentication module or anything suppose to help me? Thanks BTW, Ussama
Issues with reverse proxying the application using socket.io and Secure Websockets
Hello, I am trying to setup a reverse proxy for the application written with socket.io which tries to upgrade the connection to Secure Websockets. Looking at the docs WSS should be supported in BIG-IP 11.5.4, however I am getting some connection errors as per below (trace from the Firebug): The connection to wss://host.example.com/launchpad/socket.io/?EIO=3&transport=websocket&sid=GTQLD62vWeuwQwIzAAIp was interrupted while the page was loading. socket.io.js (line 3, col 1049) Are there any limitations known when using LTM and WSS ? In my existing lab configuration I am using both rewrite rules and stream profiles to rewrite URLs. Thanks a lot for any comments Regards
reverse proxy mapping of server with strict header checking
We are trying to map a number of separately developed apps onto the same domain with each app in a subdomain, so users can request https://.ourdomain.com/ and get directed to the correct app. Apps we developed are in pools in our own hosting and working fine. We also need to map one app developed by a third party and hosted externally (https://thirdpartyapp.theirdomain.com/). We have the ip address of this third party app in a pool and the traffic is flowing correctly but some browsers set headers which cause resource requests that follow the initial connection to receive a 403 FORBIDDEN response. Unfortunately I don't have access to the Big-IP - it's a managed service, so writing and debugging iRules is a slow process. What I need help with... Does this iRule effectively substitute headers in the outgoing request? I know the replace works, but how do I know these are the headers going over to the other end (I have no access to F5 or to 3rd party server). { set uri [HTTP::uri] set httpver [HTTP::version] set headers [HTTP::header names] array unset request array set request {uri $uri} foreach header $headers { regsub -all {externalapp.ourdomain.com} [HTTP::header $header] prod-thirdpartyapp.theirdomain.com newheadervalue set request($header) $newheadervalue } set ENCRYPT 1;pool POOL-thirdparty-443-external;snat [IP::local_addr] } I know the regsub is replacing the headers correctly. Where I am losing confidence is that I can't see the request headers of the outbound connection to the third party server. Do I need to write the headers back into HTTP::header or does "set request" do that for the outbound request - i.e. is request a special object on the F5 that automatically sets the server side https request? Thanks for your help
Can someone take a look and make sure I understand this right about reverse proxy
Preface: Yes I know not a whole lot but I'm trying. If someone could just take a look at this and maybe it will help me find what piece I am missing. We have an internal server that needs to be accessed on the outside, but they don't want it actually touching the internet so we run it through the BIG-IP F5 LTM. The internal IIS has an internal IP and an external IP assigned. The DNS entry is bound to the External IP address. A lot of what I setup has been copied from a currently working site that utilizes this exact same process. From my understanding the connection "route" is as follows: Internet-->ExtIP-->F5virtualIP-->IntIP The External IP gets natted on the firewall to the F5 internal IP of the virtual server, and then the F5 virtual server is linked to the actual internal server IP. We have access rules in place to allow public access to the external IP as well as the F5 IP. There are NAT rules in place that *should* point anyone going to the external IP towards the F5 address, and then through that to the internal server. There's an F5 rule in place that redirects from http to https as well. Internally, on my work PC, I can navigate to the site via it's FQDN. Externally though, I get a Not Secure Site message(we haven't gotten the cert in place yet so that is expected), but then after a while of trying to load, we receive an ERR_CONNECTION_RESET page and it can't load. I feel like there is something I am missing but I just can't think of what it is. If anyone has any ideas I will be eternally grateful. Thank you in advance.F5 Reverse Proxy with MFA
Hi, We have a requirement to implement reverse proxy with multifactor authentication. The current network setup has a cloud WAF which forwards traffic to on-premise application LB VIP. F5 support guided me to use APM+LTM in DMZ which will act as revers proxy with mfa. But from the APM data sheets, it looks more of a SSL VPN. So I am concerned if this solution will work with SSL inspection on the Cloud WAF. Traffic flow, External user (HTTPS) >> Cloud WAF (SSL inspection, NAT) >> F5 APM + LTM (Reverse proxy + MFA + SSL offloading) >> Internal LB >> HTTP APP Servers Can anyone please guide me on this requirement.
NGINX Migration, Rewrite Profile: Is there another way?
We are migrating, as part of a project, a big NGINX implementation to an F5. Basically, it would assume the role of a reverse proxy. The two biggest things the NGINX does are: Translating from external hosts (www.example.com) to internal hosts (www.example.local) Load balancing between different back-end servers, depending on the URI. For the first point: There are a BUNCH of translations. We're using a rewrite profile. Sometimes, www.example.com/ translates to www.example.local/, and www.example.com/app1/ translates to www.example2.com/app1. And, on a single rewrite profile, there are, I think, more than 50 rules. Is there a better way of doing this? Should we really modify back-end servers to accept both hosts, external and internal? And, how do we deal with URI's with no trailing slash? If they have none, it won't match the rewrite rule. Should we add 301 respond to each and every URI? The second: Should we use policies or iRules? I've got to confess, we have already big iRules, separated with procs and the like. So, migrating that to policies would be a pain in the ass. EDIT: One more question: We have different client side URL, that need to be rewritten to the same server. www.example.com/app1 and www.example.com/app2 to www.example.local/. However, for some reason, rewrite profile does not allow for this. How can we achieve it?
Working without trailing slash in LTM rewrite profile URI rules
Hi, I am trying to implement simple reverse proxy with load balancing based on URI path. Here is the example: F5 VIP 1 listening to main.example.com:80 - default HTTP to HTTPS redirect iRule is applied F5 VIP 2 listening to main.example.com:443 App server 1 listening to foo.example.com:443 App server 2 listening to bar.example.com:443 App server 3 listening to portal.example.com:443 Rewriting rules and load balancing rules examples: https://main.example.com -> https://portal.example.com/src/portal/ (App server 3) https://main.example.com/aa/ -> https://foo.example.com/aa/ (App server 1) https://main.example.com/bb/cc/ -> https://foo.example.com/bb/cc/ (App server 1) https://main.example.com/dd/ -> https://bar.example.com/dd/ (App server 2) https://main.example.com/dd -> https://bar.example.com/dd/ (App server 2) So basically there are 3 different back end app servers, each listening on different virtual host, and client requests should be redirected to these servers based on the URI path, while the host part of the URL must also be rewritten in all headers and whole HTML content. End user must always see only main.example.com in their browser's address field. In prior TMOS versions there was the ProxyPass iRule used for such functionality. But since my case is not too complicated and I am running 11.6, there is a way to supplement ProxyPass functionality with build in features: LTM Rewrite profile and LTM policy. I do the necessary URI rewrite in rewrite profile via URI rules and request forward in LTM policy rules. Everything works just fine, except one small annoying thing. Users want to have the option to ignore the trailing slash in URI path when calling a default resource within a directory. So for example, they want to be able to call main.example.com/dd and get the default resource from the /dd/ directory. My problem is that LTM rewrite profile does not allow me to specify URI rules without a slash at the end of URI. And without it, the whole concept does not work. Because when the user calls main.example.com/dd, F5 does not match this request to any URI rewrite rules, hence the host part stays "main" instead of being rewritten to "bar". The LTM policy actually forwards the request to correct app server because in the LTM policy I am able to declare a condition "if URI path begins with /dd". But the app server 2 does not accept request for virtual host 'main'. So I get an error. And I cannot do the URL rewrite in LTM policy. I need to rewrite all links in headers, cookies and content, so I need to use LTM rewrite profile to accomplish all that. Also something like 'main.example.com/zz' can be a legitimate request for a file called 'zz' inside the root directory of app server. So the F5 needs to be able to rewrite also requests without trailing slash and catch the HTTP redirects, rewrite them accordingly also in HTTP responses. Blindly inserting '/' at the end of each request is hence not possible. Any idea would be much appreciated! Thanks.
FIPS validated F5 load balancer to work with AWS ELBs
Hi, We recently found out that the AWS ELBs are not FIPS 140-2 validated. We plan on continuing to use ELBs for their AZ failover, ASG etc features but we now need to come up with a solution where the public end-points for our apps would be FIPS validated. As a note, our entire infrastructure is on AWS. Is there an F5 solution that we can stand it up in front of ELBs and have it accept external connections and route those back to ELBs? Also noteworthy is that the ELBs may change their IPs over time so this solution will need to be handle that without causing traffic disruption. Thank you.
Reverse proxy from internal IP to external url.
I have a need to create a dns record internally for a web address . I then would like the dns record to point to the F5 and have the F5 redirect that address to . Reason behind this... our branch servers are using ZScaler so when they navigate the internet ZScaler gives them a dhcp address. Our main office has a public facing static IP. Therefore I want to create a dns record for that comes back to my main building to the F5 and then have the F5 redirect the traffic out to the site () but this time the website will think it is coming from the public IP of my main building. This will allow me to create a firewall rule to allow access to this particular website strictly from my main building. Is this possible?