Forum Discussion
Sure. Thanks.
re 1 The auth servers are nginx proxy that inserts headers that are consumed by the application. Once the headers are inserted it forwards to the original url, this hitting the snat from the inside interface. In it's current form, the irule sees the client ip as that of the auth server and then passes the request to the application server.
re 2 Yes.
re 3 I think I answer that in 1. Let me add that the original design by the devs had the auth servers load balancing the app servers themselves. Basically ruby/nginx devs doing their thing. The problem was that every auth proxy had to be application aware. We started working on this solution so that we could have a large pool of identical auth servers serving many different applications and that auth servers are application agnostic.
I think what I am really looking for or trying to confirm is that the request has been through the auth pool before being routed to the application. Headers can be spoofed, so this clientIP lookup seemed OK. I am not sure how expensive it is from a performance perspective though.
Thank you for you looking. Much appreciated.