Forum Discussion

hy_382192's avatar
hy_382192
Icon for Nimbostratus rankNimbostratus
Jan 29, 2019

F5 Help - Routing HTTPS external to internal web traffic?

Hi,

 

As a developer, we are looking to deploy a solution which will require some F5 network aspects. However, as F5 is not an area of my expertise, I am looking for some assistance to determine the act of the possible; and to provide further guidance on what type of F5 configuration would be required for the desired solution?

 

REQUIREMENT: We want to expose an endpoint externally (some external URL - ) which will be used as a main channel of integration for our external partners. Currently we only have a single partner which shall send https requests in the form of JSON based payloads as part of a web-hook integration piece. The external endpoint shall be whitelisted to a set of IPs from our partner end.

 

There will be an external DNS declared and a public SSL certificate associated with this. The external requests will need to be routed to a pair of internally hosted load balanced servers (IIS web servers). The load balanced servers will each host a website that is SSL secured with an internal certificate (different to the external cert). So external https requests () will need to be routed all the way to the target internal servers () where the external and internal hosts will be different.

 

In terms of F5 I am on a vague understanding that we would have a virtual server (external) that shall have reference to both external and internal certificates; and possibly a pool member defined for the load balanced servers?

 

Can you confirm if the above setup is possible, and if so, what exactly do we need in terms of F5 configuration to achieve this?

 

ADDITIONAL REQUIREMENTS: In addition to the above, as we potentially want to use this solution as a generic channel for other partner integration; I was thinking if we can perform some form of assessment of the external URL to determine how it should be routed? i.e.

 

(1) For partner1 if the URL contains partner1 (i.e. DNS Host Name/partner1) then route this to internal load balancer servers A and B

 

(2) For partner2 if the URL contains partner2 (i.e. DNS Host Name/partner2) then route this to internal load balancer servers C and D etc..

 

Can we achieve this with possible IRULE or something?

 

I would appreciate if someone could give us some guidance on what F5 elements we would be required to achieve all of the above (i.e. REQUIREMENTS and ADDITIONAL)??

 

Many Thanks, Hung

 

1 Reply

  • OK, these are the fundamentals of deploying F5 and you have to remember that there are a LOT of ways to deploy but i'll give you some general points here. What you have described is the standard reverse proxy, the bit that you need to decide is where to apply the SSL certificate.

    Your options are:

    SSL offload
    - the F5 holds the SSL certificate, internal communication can be either cleartext or SSL. The benefit of this is that you hold the certificate in only one place so updates are easy, you reduce load on servers if you do internal cleartext and you can see the userplane traffic so you can do layer 7 features such as Host based routing. I would say that this is the most common use case.

    SSL passthrough
    - this is where the F5 acts as a layer 4 proxy and passes the SSL straight through to the server. This is very simple, the F5 is only acting at layer 4, doing loadbalancing across the servers. For multiple services, each service would have a separate IP address ie no Host-based routing on the F5.

    If you want more detailed design discussion then you can talk to your reseller or F5 Professional Services about a design workshop etc