Forum Discussion

Javier_Somoza_3's avatar
Javier_Somoza_3
Icon for Nimbostratus rankNimbostratus
Jul 21, 2017

BIGIP as Reverse Proxy

Hi all

 

Im trying to configure a virtual server to act as a reverse proxy so I can replace a TMG. It would proxy for some internal sites.

 

The goal is the following:

 

External Name: publicdomain.net Internal Name internaldomain.lan

 

-- https://publicdomain.net --> BIGIP --> https_or_http://internaldomain.lan --> WEBSERVER

 

I have followed this article: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-4-0/21.html

 

I have configured a virtual server: - listening port 443 - no default pool - SNAT with automap enabled (to act as proxy, logically) - a client SSL profile (to make the client connect to the proxy via HTTPS) - a server SSL profile (to allow the BIGIP connect to the internal server via HTTPS - is this correct??)

 

But i have the following doubts: - How can i make BIGIP connect via HTTP instead of HTTPS to the internal webserver? - Is it neccesary the server SSL profile to make BIGIP connect via HTTPS to the internal webserver? But each site of the internal webservers has a different internal certificate. Really i dont know how to get this work.

 

Hope i have explained my doubts correctly

 

Thanks!

 

4 Replies

    1. LTM Virtual Server are reverse proxies by default.
    2. Your high level setup looks correct apart from the fact you need a default pool setup unless you have another way to select a backend server like with the use of an iRule. Pool will be made up of Pool Members, a Node plus Port for the F5 to connect to.
    3. Yes you can have SSL traffic terminate to the F5 LTM and have none encrypted (HTTP) traffic on the server side without a problem. This is known as SSL Offloading. Just remove the Server SSL profile from the Virtual Server config and make sure the backend server will accept HTTP traffic.
  • Ok, seems that using the "Disable - Server SSL" in the local traffic policy list and forwarding to node "IP:80" works to disable SSL internal connections.

     

    The last thing i need is performing filtering based on the client source IP/network. I'll try to investigate it later...

     

    • Javier_Somoza_3's avatar
      Javier_Somoza_3
      Icon for Nimbostratus rankNimbostratus

      Thanks AMG!

      Ok, Im selecting the backend server by using a local traffic policy list based on the Host header and URL path.
      
      But I need internal SSL traffic for some backends and non-SSL traffic for others. If I remove the SSL profile it affects all of them given that im using a single virtual server for many published webs.