Forum Discussion

mc_344761's avatar
mc_344761
Icon for Nimbostratus rankNimbostratus
Jan 02, 2018

reverse proxy

Hi All,

 

We are going to use BIG-IP mainly as a reverse proxy.

 

A test scenario (see attached drawing) is that a user on Internet (client side) will access 2 web services running on 2 internal servers (server-001 and server-002). Depending on URL the user is executing it should be served different web services:

 

https://test.com/ - web service

 

https://test.com/sales - web service

 

I hope some of you could give some tips for what is the right way to implement it. I wondered if that would work:

 

  • create virtual server with our company SSL Profile on client side and default 'serverssl' on server side
  • that virtual server is assigned a pool of 2 nodes: server-001 and server-002
  • that virtual server is assigned 'rewrite profile' for URI translation as followed:

https://test.com/ ->

 

https://test.com/sales ->

 

Is it a proper way of setting up the reverse proxy for our need? Or maybe am I approaching it totally wrong? Are iRules or other features of BIG-IP a better option here?

 

Any hint will be much appreciated. Thanks!

 

 

  • Hi,

     

    You can do via irule but what is the case if node1 down? Will node2 serve the request? Or you want alwys goes node1 and fail request if node2 not available?

     

    Thx Srini

     

    • mc_344761's avatar
      mc_344761
      Icon for Nimbostratus rankNimbostratus

      Hi Srini,

       

      node 1 (server-001) is for request 1 (https://test.com/) and node-2 (server-002) is for request 2 (https://test.com/sale).

       

      node 1 and node 2 are not redundant to each other meaning if node 2 is down then the request 2 won't work and vice versa. Is it ok to have them in the same pool then - im just thinking loudly...

       

      rewrite profile won't work here?

       

      Thanks

       

  • hi,

     

    you can create two pools, pool_pool1 with node1 server and pool_pool2 with node 2 server. Assign default pool with pool_pool1 at vip level and create following irule assign to vip

     

    So any traffic coming on https://test.com/ it connect to pool_pool1 and /slae will connect to pool_pool2

     

    Thx

     

    Srini

     

    =========================================================

     

    when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/sale" { pool pool_pool2 } default { drop } } }

     

    =========================================

     

    • mc_344761's avatar
      mc_344761
      Icon for Nimbostratus rankNimbostratus

      Thanks again Srini,

       

      As you pointed, I have now created 2 pools (one pool for each server).

       

      Tried both suggested by you iRule (I must refresh my coding knowledge :)) and other solution based on policy and rewrite profile (see furhter down). None of them worked out yet but im still testing.

       

      And still some issues:

       

      • request from internet to VS comes as https://test.com
        • Client SSL profile was created and linked to VS on Client side
      • request from VS to server must have a format of test.exe (including test.exe part)
        • so I believe my iRule will have to include that change in URL (in addition to redirecting traffic to a proper pool) - or is there other way of fixing it? should I mix with rewrite profile or better include everything in the iRule?
      • in addition https between VS and server is using another SSL profile (other certificate)
        • when I tested it towards only one pool I managed to access a webpage but it was presented as a simple text - looks like there are some issues With java scripts... Wonder if it could have anything to do with the fact of using different SSL profiles on client and server side

      I found this article about setting up BIG-IP as a reverse proxy with use of policy and rewrite profile:

       

      https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-4-0/21.html

       

      Using rewrite profile takes care of URL change and a policy of redirecting traffic to a proper pool. I tested it but policy didn't work for me - all requests are forwardedd to the same pool :/

       

      Anyway - appreciate your help. Do you know if using 2 SSL profiles (with different certificates) for internal and external side of BIG-IP might be a problem in my case?

       

      Thanks again

       

      mc

       

  • My bad,i was missed test.exe .. 2 SSL profile [bridging] should fine.

     

    Thx

     

    Srini

     

    • mc_344761's avatar
      mc_344761
      Icon for Nimbostratus rankNimbostratus

      Thanks for your help and sorry late response. At the end I set 1 VS without any pool defined in resources. REWRITE profile linked to that VS rewrites URL links accordingly. POLICY redirects https requests to the right pools based in requesting URI.

       

      michal

       

    • Amresh008's avatar
      Amresh008
      Icon for Nimbostratus rankNimbostratus

      Hi Michal,

       

      I would suggest you to start the config without the SSL, as when non-ssl set up works, the ssl soon would. You should first be able to get the incoming traffic hit your servers. As you are dealing with different interfaces (WAN side and LAN side) with diff range of IP addresses, it would require routing or Natting for the traffic to pass your load balancer and you would also require config for reverse route.rest of the config is easy :-)