Manual Chapter : Configuring the BIG-IP System as a Reverse Proxy Server

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP Link Controller

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP Analytics

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP DNS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0
Manual Chapter

Configuring the BIG-IP System as a Reverse Proxy Server

Overview: URI translation and HTML content modification

For environments that use web servers, you might want your websites to appear differently on the external network than on the internal network. For example, you might want the BIG-IP system to send traffic destined for
http://www.siterequest.com/
to the internal server
http://appserver1.siterequest.com/
instead. Normally, this translation could cause some issues, such as the web server expecting to see a certain host name (such as for name-based virtual hosting) or the web server using the internal host name and/or path when sending a redirect to client systems. Fortunately, you can configure the BIG-IP system to solve these problems.
You can also configure the BIG-IP system to modify HTML content as needed after the system has performed the URI translation.
This implementation describes an example of URI translation and HTML content modification and then provides the tasks to implement this example.

About URI translation

You can configure the BIG-IP system to perform URI translation on HTTP requests. Suppose that a company named
Siterequest
has a website
www.siterequest.com
, which has a public IP address and a registered DNS entry, and therefore can be accessed from anywhere on the Internet.
Furthermore, suppose that
Siterequest
has two application servers with private IP addresses and unregistered DNS entries, inside the company's firewall. The application servers are visible within the internal network as
appserver1.siterequest.com
and
appserver2.siterequest.com
.
Because these servers have no public DNS entries, any client system that tries to access one of these servers from outside the company network receives a
no such host
error.
As the illustration shows, you can prevent this problem by configuring the BIG-IP system to act as a reverse proxy server:
The BIG-IP system as a reverse proxy server for URI translation
The BIG-IP system as a reverse proxy server
In the example, the company
Siterequest
has decided to enable Web access to the internal application servers, without exposing them to the Internet directly. Instead, the company has integrated the servers with the web server
siterequest.com
so that
http://www.siterequest.com/sales
is mapped internally to
http://appserver1.siterequest.com/sales
, and
http://siterequest.com/marketing
is mapped internally to
http://appserver2.example.com/marketing
. This is a typical reverse-proxy configuration.
To configure the BIG-IP system to perform this translation, you create a Rewrite profile and configure one or more URI rules. A
URI rule
specifies the particular URI translation that you want the BIG-IP system to perform. Specifically, a URI rule translates the scheme, host, port, or path of any client URI, server URI, or both. A URI rule also translates any domain and path information in the
Set-Cookie
header of the response when that header information matches the information in the URI rule.
The Rewrite profile supports HTML and CSS content types only. To specify MIME types for HTML content, you can either create an HTML profile or accept the default values that the Rewrite profile uses,
text/html
and
text/xhtml
. For CSS content, only the
text/css
MIME type is supported.

Rules for matching requests to URI rules

The BIG-IP system follows these rules when attempting to match a request to a URI rule:
  • A request does not need to match any entry. That is, if no entries match and there is no catch-all entry, then the Rewrite profile has no effect.
  • Each request matches one entry only, which is the entry with the most specific host and path.
  • If multiple entries match, then the BIG-IP system uses the entry with the deepest path name on the left side of the specified mapping.
  • The BIG-IP system matches those requests that contain host names in URIs before matching requests that do not contain host names in URIs.
  • The BIG-IP system processes the specified entries in the mapping from most-specific to least-specific, regardless of the order specified in the actual Rewrite profile.

About URI Rules

When creating a URI rule, you must specify the client and server URIs in these ways:
  • When the URI is a path prefix only, the path must be preceded by and followed by a
    /
    , for example,
    /sales/
    .
  • When the URI contains more than the path prefix (such as, a host), the URI must also contain a scheme and must be followed by a
    /
    , for example,
    http://www.siterequest/sales/
    .
  • Scheme and host are matched with a case-insensitive compare. Path components are matched with a case-sensitive compare per RFC 7230.

Introduction to HTML content modification

When you configure an HTML profile on the BIG-IP system, the system can modify HTML content that passes through the system, according to your specifications. For example, if you want the BIG-IP system to detect all content of type
text/html
and then remove all instances of the HTML
img
tag with the
src
attribute, you can configure an HTML profile accordingly, and assign it to the virtual server. The HTML profile ensures that the BIG-IP system removes those instances of the tag from any HTML content that passes through the virtual server.
Or, you can configure an HTML profile to match on a certain tag and attribute in HTML content when a particular iRule event is triggered, and then create an iRule that includes a command to replace the value of the matched attribute with a different attribute. The BIG-IP system includes several iRule commands that you can use when the
Raise Event on Comment
or
Raise Event on Tag
events are triggered. For more information on iRule commands related to HTML content modification, see the F5 Networks web site
http://devcentral.f5.com
.
HTML tag removal and replacement are just two of several HTML rules that you can configure to manipulate HTML content. An
HTML rule
defines the specific actions that you want the BIG-IP system to perform on a specified type HTML content.

Task summary for configuring system as reverse proxy server

The first step to configuring the BIG-IP® system to act as a reverse proxy server is to create a Rewrite type of profile on the BIG-IP system and associate it with a virtual server. Note that each virtual server must have an HTTP profile. The Rewrite profile is designed for HTTP sites, as well as HTTPS sites where SSL is terminated on the BIG-IP system (that is, the virtual server references a Client SSL profile).

Creating a Rewrite profile to specify URI rules

To configure the BIG-IP system to perform URI translation, you create a
Rewrite profile
, specifying one or more URI rules that associate a client-side path with a server-side URI. You also specify whether you want the URI translation to pertain to HTTP requests, responses, or both.
The Rewrite profile supports HTML and CSS content types only. To specify MIME types for HTML content, you can either create an HTML profile or accept the default values that the Rewrite profile uses,
text/html
and
text/xhtml
. For CSS content, only the
text/css
MIME type is supported.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Rewrite
    .
    The Rewrite profile list appears.
  2. Click
    Create New Profile
    .
    The Create New Profile Rewrite pop-up screen opens.
  3. In the
    Profile Name
    field, type a name, such as
    my_rewrite_profile
    .
  4. From the
    Parent Profile
    list, select
    rewrite
    .
  5. From the
    Rewrite Mode
    list, select
    URI Translation
    .
  6. On the left pane, click
    URI Rules
    .
    An empty text box appears for displaying client-server URI mappings that you specify.
  7. Click
    Add
    .
  8. From the
    Rule Type
    list, select
    Both
    .
  9. In the
    Client URI
    box, type a client path, such as
    /sales/
    .
  10. In the
    Server URI
    box, type a server URI, such as
    http://appserver1.siterequest.com/sales/
    .
    You must include a scheme in the server URI that you specify.
    An example of a scheme is
    http
    .
  11. Click
    OK
    .
    This displays a mapping of the specified client path to the associated server scheme, host, and path.
  12. Click
    Add
    again.
  13. From the
    Rule Type
    list, select
    Both
    .
  14. In the
    Client URI
    field, type a client path, such as
    /marketing/
    .
  15. In the
    Server URI
    field, type a server URI, such as
    http://appserver2.siterequest.com/marketing/
    .
    You must include a scheme in the server URI that you specify.
    An example of a scheme is
    http
    .
  16. Click
    OK
    .
    This displays a mapping of the specified client path to the associated server scheme, host, and path.
  17. Click
    OK
    .
The BIG-IP system now includes two URI rules for performing URI translation on both requests and responses. For example, the host name in a request destined for
http://www.siterequest.com/sales/
will be translated to
http://appserver1.siterequest.com/sales/
, and the host name in a request destined for
https://www.siterequest.com/marketing/
will be translated to
http://appserver2.siterequest.com/marketing/
. A reverse translation occurs on any response.

Creating an HTML profile for tag removal

You create an HTML profile when you want the BIG-IP system to act on certain types of HTML content.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Content
    HTML
    .
  2. Click the
    Create New Profile
    button.
  3. In the
    Profile Name
    field, type a name, such as
    my_html_profile
    .
  4. From the
    Parent Profile
    list, select
    /Common/html
    .
  5. On the left pane, click
    HTML Rules
    .
  6. On the
    Create New
    button, click the right arrow.
  7. Select
    Remove Tag
    .
    The Create New Remove Tag Rule box appears.
  8. In the
    Rule Name
    field, type a name, such as
    my_remove_img_tag_rule
    .
  9. Optionally, in the
    Description
    field, type a description of the rule, such as
    Removes the img tag with the src attribute
    .
  10. On the left pane, click
    Match Settings
    .
  11. In the
    Match Tag Name
    field, type the name of the tag that you want to remove from the HTML content.
    An example of a tag to specify is the HTML
    img
    tag.
  12. In the
    Match Attribute Name
    field, type the name of the attribute associated with the tag that you specified for removal.
    An example of an attribute to specify is the
    src
    attribute for the
    img
    tag.
  13. Click
    OK
    .
  14. In the
    Available Rules
    list, locate the HTML rule that you want to enable, and select the adjacent check box.
  15. Using the Move button, move the selected HTML rule to the
    Selected Rules
    list.
  16. Click
    OK
    .
After creating this HTML profile, you can implement the HTML content modification by assigning the profile to the virtual server that is processing the associated HTTP traffic.

Creating pools for processing HTTP traffic

You can create two load balancing pools, and then create a policy that forwards certain HTTP traffic to one pool, and other HTTP traffic to another pool.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. Using the
    New Members
    setting, add each resource that you want to include in the pool:
    1. (Optional) In the
      Node Name
      field, type a name for the node portion of the pool member.
    2. In the
      Address
      field, type an IP address.
    3. In the
      Service Port
      field, type a port number, or select a service name from the list.
    4. (Optional) In the
      Priority
      field, type a priority number.
    5. Click
      Add
      .
  5. Click
    Finished
    .
  6. Repeat this task to create a second pool.
The new pools appear in the Pools list.

Creating a local traffic policy

You perform this task to create a local traffic policy that forwards traffic to one or more non-default pools, based on some condition. For example, for a condition such as an HTTP request whose host name equals
siterequest.com
and URI starts with
/sales/
, the BIG-IP system can forward that request to
pool_app1
.
  1. On the Main tab, click
    Local Traffic
    Policies
    Policy List
    .
    The Policy List Page screen opens.
  2. Click
    Create
    .
    The New Policy screen opens.
  3. In the
    Name
    field, type a unique name for the policy.
  4. From the
    Strategy
    list, select a matching strategy.
  5. For the
    Requires
    setting, select
    http
    from the
    Available
    list, and move the entry to the
    Selected
    list using the Move button.
  6. For the
    Controls
    setting, select
    forwarding
    from the
    Available
    list, and move the entry to the
    Selected
    list using the Move button.
  7. Click
    Add
    .
    The New Rule screen opens.
  8. In the
    Rule
    field, type a unique name for the rule.
  9. From the
    Operand
    list, select
    http-host
    .
  10. Using the options for the
    Conditions
    setting, configure a rule where the condition equals the criteria specified:
    1. From the
      Condition
      list, select
      equals
      .
    2. Select the
      case sensitive
      check box to apply case sensitivity to the condition.
    3. In the
      Values
      field, type the text for the applicable value and click
      Add
      .
      An example of a value is
      siterequest.com
      .
      The specified condition appears in the
      Values
      list box.
    4. At the lower left, click
      Add
      .
      The configured condition appears in the
      Conditions
      list.
  11. From the
    Operand
    list, select
    http-uri
    .
  12. Using the options for the
    Conditions
    setting, configure a rule where the condition starts with the criteria specified:
    1. From the
      Condition
      list, select
      starts with
      .
    2. Select the
      case sensitive
      check box to apply case sensitivity to the condition.
    3. In the
      Values
      field, type the text for the applicable value and click
      Add
      .
      An example of a value is
      /app1/
      .
      The specified condition appears in the
      Values
      list box.
    4. At the lower left click
      Add
      .
      The configured condition appears in the
      Condition
      list.
  13. Using the
    Actions
    setting, configure the applicable options:
    1. From the
      Target
      list, select
      forward
      .
    2. From the
      Event
      list, select an event.
    3. From the
      Action
      list, select
      pool
      .
    4. From the
      Parameters
      list, select the pool name to which you want the BIG-IP system to forward the traffic.
    5. To the right of the input field, click
      Add
      .
      The configured parameter appears in the
      Parameters
      list box.
    6. At the lower left click
      Add
      .
      The configured settings for the action appear in the
      Actions
      list.
  14. Repeat steps 11 through 13, specifying a second
    http-uri
    condition value, such as
    /marketing
    , and specifying a different non-default pool name.
  15. Click
    Finished
    .
For each matching condition specified in the policy, the virtual server to which you assign the policy forwards the packet to the non-default pool that you specified in the policy. For example, you can create one policy that forwards traffic with a URI starting with
/sales/
to
pool_sales
and another policy that forwards traffic with a URI starting with
/marketing/
to
pool_marketing
.

Implementation results

After you perform the tasks in this implementation, the BIG-IP system can:
  • Translate URIs according to the URI rules specified in the Rewrite profile.
  • Modify specified HTML content according to the HTML rule specified in the HTML profile.
  • Forward HTTP traffic to two different non-default pools according to a local traffic policy.