Migration from HAProxy to F5
Hi all,
I have a conundrum of sorts.
We are currently in the process of evaluating how to migrate from HAProxy reverse proxy and load balancer to F5.
I have a couple of questions for someone who has been in the same boat, if any 😄
1. What type of licence do we need for Reverse Proxy/Load Balancing
2) I am posting a sample config of what I need to migrate to F5
Since I have been reading about iRules and LTM Local Traffic Policy I am thinking of going the LTM route since I've read that iRules are a lot more problematic and slower to go through.
Here is the sample config. Does anyone have an idea how to implement this into F5 using LTM?
frontend web11
mode http
bind 10.1.1.10:80
bind 10.1.1.10:443 ssl crt /etc/ssl/web.pem
# Redirect HTTP to HTTPS
http-request redirect scheme https code 301 unless { ssl_fc }
# Log the session cookie if passed
capture cookie JSESSIONID= len 32
acl web_url hdr(host) -i web11.com www.web11.com
acl path_cxserver path -i -m beg /Thingworx/WS
acl path_tunnelserver path -i -m beg /Thingworx/WSTunnelServer
acl path_tunnelclient path -i -m beg /Thingworx/WSTunnelClient
# Backend logic
use_backend cxserver if web_url path_cxserver
use_backend tunnelserver if web_url path_tunnelserver
use_backend tunnelclient if web_url path_tunnelclient
##### Backend section
backend cxserver
mode http
balance roundrobin
option forwardfor
# sticky sessions
cookie SERVER insert indirect nocache
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# health check
option httpchk GET /Thingworx/health
server cxserver1 10.0.10.10:8080 check inter 1000 fastinter 1000" cookie twx1
server cxserver2 10.0.10.11:8080 check inter 1000 fastinter 1000" cookie twx2
backend tunnelserver
mode http
balance source
option forwardfor
option httpchk GET /
server tunnelserver1 10.0.10.20:8080 check port 9009
server tunnelserver2 10.0.10.21:8080 check port 9009
backend tunnelclient
mode http
balance roundrobin
option forwardfor
option httpchk HEAD /healthcheck.html HTTP/1.1
server tunnelclient1 10.0.10.30:8080 check inter 1000 fastinter 1000" cookie twx1
server tunnelclient2 10.0.10.31:8080 check inter 1000 fastinter 1000" cookie twx2
server tunnelclient3 10.0.10.32:8080 check inter 1000 fastinter 1000" cookie twx3
# Default traffic to platform
default_backend NOSRV
Thanks for any suggestions 🙂
If you need clarification of what each line does I will be happy to break them down further if needed 🙂
Hi igor_
I haven't used haproxy personally, but the config looks pretty self explanatory. Here's a start for some of the work to get you going. Note that the cookie names are going to be stock in this solution, the jsessionid is not handled yet, and only one of the three backends has been addressed. You can add the other two as rules to the policy once you build out the pools for them. Post back with any questions.
ltm monitor http cxserver-httpchk { adaptive disabled defaults-from http interval 5 ip-dscp 0 recv none recv-disable none send "GET /Thingworx/health\r\n" time-until-up 0 timeout 16 } ltm pool cxserver-pool { members { cxserver1:8080 { address 10.0.10.10 } cxserver2:8080 { address 10.0.10.11 } } monitor cxserver-httpchk } ltm policy test-policy { controls { forwarding } requires { http } rules { cxserver-match { actions { 0 { forward select pool cxserver-pool } } conditions { 0 { http-uri values { /Thingworx/WS } } } ordinal 1 } } status published strategy first-match } ltm policy http-to-https { controls { forwarding } requires { http tcp } rules { redirect { actions { 0 { http-reply redirect location tcl:https://[getfield [HTTP::host] ":" 1][HTTP::uri] } } conditions { 0 { tcp port values { 80 } } } } } status published strategy first-match } ltm virtual testapp-vip { destination 10.1.1.10:80 ip-protocol tcp mask 255.255.255.255 policies { http-to-https { } } profiles { http { } tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm virtual testappssl-vip { destination 10.1.1.10:443 ip-protocol tcp mask 255.255.255.255 persist { cookie { default yes } } policies { test-policy { } } profiles { clientssl { context clientside } http { } tcp { } } serverssl-use-sni disabled source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled }
high level from objects perspective (and this is imperative config, I highly encouarge you taking a look at the declarative automated tool chain):
Monitors for the pools
Pools for each of your backend servers
Cookie profiles if you want them to be named specifically
SSL profile for your front-end
LTM policy for redirecting from http->https
LTM policy for traffic matching, forwarding, and logging
Virtual server for port 80
Virtual server for port 443