Forum Discussion

igor_'s avatar
igor_
Icon for Altocumulus rankAltocumulus
Jun 29, 2023
Solved

Migration from HAProxy to F5

Hi all, I have a conundrum of sorts. We are currently in the process of evaluating how to migrate from HAProxy reverse proxy and load balancer to F5. I have a couple of questions for someone who h...
devops
  • JRahm's avatar
    JRahm
    Jun 30, 2023

    Hi igor_ 

    I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.

     

    ltm monitor http cxserver-httpchk {
    adaptive disabled
    defaults-from http
    interval 5
    ip-dscp 0
    recv none
    recv-disable none
    send "GET /Thingworx/health\r\n"
    time-until-up 0
    timeout 16
}

ltm pool cxserver-pool {
    members {
        cxserver1:8080 {
            address 10.0.10.10
        }
        cxserver2:8080 {
            address 10.0.10.11
        }
    }
    monitor cxserver-httpchk
}

ltm policy test-policy {
    controls { forwarding }
    requires { http }
    rules {
        cxserver-match {
            actions {
                0 {
                    forward
                    select
                    pool cxserver-pool
                }
            }
            conditions {
                0 {
                    http-uri
                    values { /Thingworx/WS }
                }
            }
            ordinal 1
        }
    }
    status published
    strategy first-match
}

ltm policy http-to-https {
    controls { forwarding }
    requires { http tcp }
    rules {
        redirect {
            actions {
                0 {
                    http-reply
                    redirect
                    location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri]
                }
            }
            conditions {
                0 {
                    tcp
                    port
                    values { 80 }
                }
            }
        }
    }
    status published
    strategy first-match
}

ltm virtual testapp-vip {
    destination 10.1.1.10:80
    ip-protocol tcp
    mask 255.255.255.255
    policies {
        http-to-https { }
    }
    profiles {
        http { }
        tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}
ltm virtual testappssl-vip {
    destination 10.1.1.10:443
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    policies {
        test-policy { }
    }
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

     

    high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):

    Monitors for the pools
    Pools for each of your backend servers
    Cookie profiles if you want them to be named specifically
    SSL profile for your front-end
    LTM policy for redirecting from http->https
    LTM policy for traffic matching, forwarding, and logging 
    Virtual server for port 80
    Virtual server for port 443

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP

Maybe you will only need an iRule to log the cookie:

 

https://clouddocs.f5.com/api/irules/HTTP__cookie.html

https://community.f5.com/t5/technical-articles/getting-started-with-irules-logging-comments/ta-p/290408/redirect_from_archived_page/true

 The request logging profile can also be a nice feature:

https://my.f5.com/manage/s/article/K00847516

 

You can send the HTTP logs directly to a syslog or SIEM without saving them locally and the irules, F5 system or the request logging profile support HSL:

 

https://clouddocs.f5.com/api/irules/HSL.html

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html

https://my.f5.com/manage/s/article/K50040950

 

 

 

 


when HTTP_REQUEST {
log local0. “JSESSIONID cookie: [HTTP::cookie value "JSESSIONID"] from source IP [IP::client_addr] ”
}

 

Maybe also check if One Connect will be needed as this could be enabled by default for HAProxy and you will need one connect profile for F5.

https://www.haproxy.com/blog/http-keep-alive-pipelining-multiplexing-and-connection-pooling

https://my.f5.com/manage/s/article/K91757375

 

For X-Forwarded options you play with the F5 HTTP profile as there is no need for irule or local traffic policies

https://my.f5.com/manage/s/article/K43444200

https://my.f5.com/manage/s/article/K4816

 

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jun 30, 2023

Nikoolayy1   Good call on one connect, forgot that. It is considered a misconfiguration on http without it. 

igor_ iRules are totally acceptable, but it is best to do as much as you can without them, and sometimes an apples to apples configuration might require it, whereas a review of requirements for each app you're migrating might present an opportunity to make some changes that a) keep the config and therefore all the logic in native tmm objects and b) prep the config for easy automation when ready.