Migration from HAProxy to F5

Question

Hi all,I have a conundrum of sorts.We are currently in the process of evaluating how to migrate from HAProxy reverse proxy and load balancer to F5.I have a couple of questions for someone who has been in the same boat, if any 😄1. What type of licence do we need for Reverse Proxy/Load Balancing2) I am posting a sample config of what I need to migrate to F5Since I have been reading about iRules and LTM Local Traffic Policy I am thinking of going the LTM route since I've read that iRules are a lot more problematic and slower to go through.Here is the sample config. Does anyone have an idea how to implement this into F5 using LTM?&nbsp;&nbsp;frontend web11
  mode http
  bind 10.1.1.10:80
  bind 10.1.1.10:443 ssl crt /etc/ssl/web.pem
  
  # Redirect HTTP to HTTPS
  http-request redirect scheme https code 301 unless { ssl_fc }

# Log the session cookie if passed
  capture cookie JSESSIONID= len 32
  
  acl web_url hdr(host) -i web11.com www.web11.com
    
  acl path_cxserver path -i -m beg /Thingworx/WS
  acl path_tunnelserver path -i -m beg /Thingworx/WSTunnelServer
  acl path_tunnelclient path -i -m beg /Thingworx/WSTunnelClient
  
  # Backend logic
  use_backend cxserver if web_url path_cxserver
  use_backend tunnelserver if web_url path_tunnelserver
  use_backend tunnelclient if web_url path_tunnelclient

##### Backend section
  
backend cxserver
  mode http
  balance roundrobin
  option forwardfor

# sticky sessions
  cookie SERVER insert indirect nocache

http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

# health check
  option httpchk GET /Thingworx/health

server cxserver1 10.0.10.10:8080 check inter 1000 fastinter 1000" cookie twx1
  server cxserver2 10.0.10.11:8080 check inter 1000 fastinter 1000" cookie twx2

backend tunnelserver
  mode http
  balance source
  option forwardfor
  option httpchk GET /

server tunnelserver1 10.0.10.20:8080 check port 9009
  server tunnelserver2 10.0.10.21:8080 check port 9009
  
backend tunnelclient
  mode http
  balance roundrobin
  option forwardfor
  option httpchk HEAD /healthcheck.html HTTP/1.1
  
  server tunnelclient1 10.0.10.30:8080 check inter 1000 fastinter 1000" cookie twx1
  server tunnelclient2 10.0.10.31:8080 check inter 1000 fastinter 1000" cookie twx2
  server tunnelclient3 10.0.10.32:8080 check inter 1000 fastinter 1000" cookie twx3

# Default traffic to platform
default_backend NOSRV&nbsp;&nbsp;Thanks for any suggestions 🙂&nbsp;If you need clarification of what each line does I will be happy to break them down further if needed 🙂

jrahm · Accepted Answer

Hi&nbsp;igor_&nbsp;
I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.
&nbsp;
ltm monitor http cxserver-httpchk {
    adaptive disabled
    defaults-from http
    interval 5
    ip-dscp 0
    recv none
    recv-disable none
    send "GET /Thingworx/health
"
    time-until-up 0
    timeout 16
}

ltm pool cxserver-pool {
    members {
        cxserver1:8080 {
            address 10.0.10.10
        }
        cxserver2:8080 {
            address 10.0.10.11
        }
    }
    monitor cxserver-httpchk
}

ltm policy test-policy {
    controls { forwarding }
    requires { http }
    rules {
        cxserver-match {
            actions {
                0 {
                    forward
                    select
                    pool cxserver-pool
                }
            }
            conditions {
                0 {
                    http-uri
                    values { /Thingworx/WS }
                }
            }
            ordinal 1
        }
    }
    status published
    strategy first-match
}

ltm policy http-to-https {
    controls { forwarding }
    requires { http tcp }
    rules {
        redirect {
            actions {
                0 {
                    http-reply
                    redirect
                    location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 80 }
                }
            }
        }
    }
    status published
    strategy first-match
}

ltm virtual testapp-vip {
    destination 10.1.1.10:80
    ip-protocol tcp
    mask 255.255.255.255
    policies {
        http-to-https { }
    }
    profiles {
        http { }
        tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm virtual testappssl-vip {
    destination 10.1.1.10:443
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    policies {
        test-policy { }
    }
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
&nbsp;
high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):
Monitors for the poolsPools for each of your backend serversCookie profiles if you want them to be named specificallySSL profile for your front-endLTM policy for redirecting from http-&gt;httpsLTM policy for traffic matching, forwarding, and logging&nbsp;Virtual server for port 80Virtual server for port 443

nikoolayy1 · Answer

Maybe you will only need an iRule to log the cookie:
&nbsp;
https://clouddocs.f5.com/api/irules/HTTP__cookie.html
https://community.f5.com/t5/technical-articles/getting-started-with-irules-logging-comments/ta-p/290408/redirect_from_archived_page/true
&nbsp;The request logging profile can also be a nice feature:
https://my.f5.com/manage/s/article/K00847516
&nbsp;
You can send the HTTP logs directly to a syslog or SIEM without saving them locally and the irules, F5 system or the request logging profile support HSL:
&nbsp;
https://clouddocs.f5.com/api/irules/HSL.html
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html
https://my.f5.com/manage/s/article/K50040950
&nbsp;
&nbsp;
&nbsp;
&nbsp;
when HTTP_REQUEST {log local0. “JSESSIONID cookie: [HTTP::cookie value "JSESSIONID"] from source IP [IP::client_addr] ” }
&nbsp;
Maybe also check if One Connect will be needed as this could be enabled by default for HAProxy and you will need one connect profile for F5.
https://www.haproxy.com/blog/http-keep-alive-pipelining-multiplexing-and-connection-pooling
https://my.f5.com/manage/s/article/K91757375
&nbsp;
For X-Forwarded options you play with the F5 HTTP profile as there is no need for irule or local traffic policies
https://my.f5.com/manage/s/article/K43444200
https://my.f5.com/manage/s/article/K4816
&nbsp;

jrahm · Answer

Nikoolayy1&nbsp;&nbsp; Good call on one connect, forgot that. It is considered a misconfiguration on http without it.&nbsp;
igor_&nbsp;iRules are totally acceptable, but it is best to do as much as you can without them, and sometimes an apples to apples configuration might require it, whereas a review of requirements for each app you're migrating might present an opportunity to make some changes that a) keep the config and therefore all the logic in native tmm objects and b) prep the config for easy automation when ready.

nikoolayy1 · Answer

For the cookie logging need I think the irule is better than the local traffic policy with a log action and tcl substitution like "tcl:[HTTP::cookie value "JSESSIONID"]". I don't renember if the request logging profile also logged the HTTP cookies and their values.
&nbsp;
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html

igor_ · Answer

Hi guys,Thanks for the proposed solutions. I will be going through them to see how to copy them into the configuration.One question though since I am new to F5&nbsp;JRahm&nbsp;, the configuration you posted is that in a form which is then imported in F5 from GUI ?

alexs_yb · Answer

I went from nginx -&gt; f5, i used linux clustering with a single floating VIP to handle failover.&nbsp;I would suggest just using irules.Unless you are hammering the system and need all the performance you can get.Why - well they both do about the same thingIrules give you more ability to do just about anything.For example we do stick session based upon jsessionid - which didn't fit with the persistance model built into the F5.Setting up irules to do what the policies do is easy.Also then thing about logging the request / response logging is not pretty&nbsp; i wrote my own irule module to capature all of the events and record them as well as return headers from back end apps which included timing info.Another nice thing as well we have https backends and http backends - irules to process that&nbsp;Have fun&nbsp;

Forum Discussion

Migration from HAProxy to F5

10 Replies

Recent Discussions

Content type hearder charset=UTF-8

Web acceleration

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

Enterprise Security best practices with F5 WAF

Disk space full - what files, folders are safe to delete?

Related Content

Getting Started with BIG-IP Next: Migrating an Application Workload

F5 BIG-IP per application Red Hat OpenShift cluster migrations

Edge to Pulse: IP Geolocation Database Migration

uCS platform-migrate

Re: Welcome to the F5 BIG-IP Migration Assistant