Forum Discussion

Shivam_84461's avatar
Shivam_84461
Icon for Nimbostratus rankNimbostratus
Jul 21, 2015

Using Apache ProxyPass Irule for reverseproxy

I am trying to replace my apache server which are currently working as reverseproxy server for one of our application. Instead of apache we want to to use F5 to do the same task.

 

The proxypass Irule is too big for me to understand and I am getting confused where to make changes to get the desired result. I'll quickly tell what we are doing with apache.

 

We have a application hosted on Salesforce but we are trying to mask the salesforce URL with the URL we want. So if the application is hosted on xyz.Salesforce.com/abc we want the users to see it like app.company.com.

 

Currently everything is working on apache and we are doing SSL offloading on apache only. Now things i know I need to do on f5 are,

 

Create a VS Create a DAtagroup with name ProxyPassVSname Create Irule (Proxypass)

 

Create pool and add salesforce server IP on that pool.

 

I did all that but I am not sure what changes on Proxypass Irule I need to make.

 

Let me know if you guys need more info.

 

I am a newbie so please help me.

 

Thanks Shivam

 

  • Hi Shivam,

     

    You shouldn't need to make any changes to the ProxyPass irule, unless you need to configure debugging or rewriteresponse under the RULE_INIT section.

     

    If your VS name is salesforce_vs, then your datagroup should be called: ProxyPasssalesforce_vs

     

    So with your examples of xyz.Salesforce.com/abc and app.company.com you would need to add the following to the datagroup.

     

    string: app.company.com/ value: xyz.salesforce.com/abc

     

    How are you looking at configuring your SSL offloading? I would assume you will need a client ssl profile for app.company.com and a server ssl profile so that the traffic to salesforce is encrypted.

     

  • I did Apache proxypass config for years, and have used the equiv iRule, to good effect - that said, in many situations you can get by with something much simpler.

     

    1. Create your SSL offload virtual server
    2. Define and add to the VS a stream profile, and define your string replacements there; if you have multiple replacements, use a regexp in the "Target" field only. See: https://support.f5.com/kb/en-us/solutions/public/8000/100/sol8115.html ... this will make replacements in both your headers and content returned. For help in formatting string replacements: https://devcentral.f5.com/articles/ltm-stream-profile-multiple-replacements-regular-expressions but make sure to check the previous link i provided, because some things change in v11, and more changes in v11.4
    3. If you're pre-11.4, make sure to set response processing in the HTTP profile to "rechunk"

    Voila. Note this works if you don't need content-specific logic concerning what string replacements to make.

     

    • Shivam_84461's avatar
      Shivam_84461
      Icon for Nimbostratus rankNimbostratus
      Hello daboochmeister, I tried this but this is not working. After attaching the stream profile to VS the page is not even replacing the url.
    • daboochmeister's avatar
      daboochmeister
      Icon for Cirrus rankCirrus
      Can you describe what you mean, that the page is not replacing the URL? Couple of possibilities - I misspoke, the stream profile only makes replacements in returned content. To replace the URLs in any returned headers (e.g. Location headers associated with redirects), you can setup a Rewrite profile. Also, the stream profile replacements only work if you virtual has an HTTP profile as well (even just the default one, "http", is fine).
    • Shivam_84461's avatar
      Shivam_84461
      Icon for Nimbostratus rankNimbostratus
      Not replacing the URL means when I go to app.company.com its going to xyz.Salesforce.com..Like what a virtual server does. Just forwards the traffic to pool member. I'll try to attach both html profile and a rewrite profile.
  • I did Apache proxypass config for years, and have used the equiv iRule, to good effect - that said, in many situations you can get by with something much simpler.

     

    1. Create your SSL offload virtual server
    2. Define and add to the VS a stream profile, and define your string replacements there; if you have multiple replacements, use a regexp in the "Target" field only. See: https://support.f5.com/kb/en-us/solutions/public/8000/100/sol8115.html ... this will make replacements in both your headers and content returned. For help in formatting string replacements: https://devcentral.f5.com/articles/ltm-stream-profile-multiple-replacements-regular-expressions but make sure to check the previous link i provided, because some things change in v11, and more changes in v11.4
    3. If you're pre-11.4, make sure to set response processing in the HTTP profile to "rechunk"

    Voila. Note this works if you don't need content-specific logic concerning what string replacements to make.

     

    • Shivam_84461's avatar
      Shivam_84461
      Icon for Nimbostratus rankNimbostratus
      Hello daboochmeister, I tried this but this is not working. After attaching the stream profile to VS the page is not even replacing the url.
    • daboochmeister_'s avatar
      daboochmeister_
      Icon for Altocumulus rankAltocumulus
      Can you describe what you mean, that the page is not replacing the URL? Couple of possibilities - I misspoke, the stream profile only makes replacements in returned content. To replace the URLs in any returned headers (e.g. Location headers associated with redirects), you can setup a Rewrite profile. Also, the stream profile replacements only work if you virtual has an HTTP profile as well (even just the default one, "http", is fine).
    • Shivam_84461's avatar
      Shivam_84461
      Icon for Nimbostratus rankNimbostratus
      Not replacing the URL means when I go to app.company.com its going to xyz.Salesforce.com..Like what a virtual server does. Just forwards the traffic to pool member. I'll try to attach both html profile and a rewrite profile.
    • Shivam_84461's avatar
      Shivam_84461
      Icon for Nimbostratus rankNimbostratus
      Hello Shain, I went through this document but it looks like no where it helps me the way I want it to work. May be I am not understanding but when I read it its not masking the URL anywhere.
  • when HTTP_REQUEST {

                  HTTP::header replace Host "app.company.com"
    

    }

    when HTTP_RESPONSE {

                  HTTP::header replace Host "xyz.Salesforce.com"
    

    }

  • Hello All,

     

    Thanks for posting the responses. It was really helpful. Got it working finally..

     

    Thanks Shivam