Dynamic Reverse Proxy

Objective

This guide provides instructions on how to create a Dynamic Reverse Proxy (DRP) using the guided wizards in F5® Distributed Cloud Services.

A Dynamic Reverse Proxy operates between the sending Web server and your receiving Web client. It starts by attracting the requests to itself, instead of the final destination (meaning that traffic from a client will hit the Proxy itself), and then triggers a dynamic discovery of the requested endpoint by doing SNI routing or by using host headers.

Dynamic Reverse Proxy solves the problem of connecting to SaaS providers privately without the need of creating complex routing relationships and especially without the need to advertise Public IP Space inside Organizations' Corporate Networks.

On the reverse direction, Dynamic Reverse Proxy also solves the problem related to the need of advertising Organizations' Private IP Space into the SaaS Provider's Network by implementing Forward Proxy and NAT Capabilities.

image1
Figure: DRP Overview

Using the instructions provided in this guide, you will be able to create a Dynamic Reverse Proxy.


Prerequisites

The following prerequisites apply:

Note: If you do not have an account, see Create an Account.


Configuration

Create a Dynamic Reverse Proxy (DRP)

Features can be viewed, and managed in multiple services.

This example shows Dynamic Reverse Proxy setup in Load Balancers.

Step 1: Log into F5® Distributed Cloud Console, start DRP object creation.
  • Open F5® Distributed Cloud Console > select Load Balancers box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

NEW HOME PAGE C
Figure: Homepage

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

  • Change to your application namespace in the namespace selector in the primary navigation bar.

  • Select Manage in left-menu > select Load Balancers > HTTP Connect & DPRs.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

  • Select Add HTTP Connect & DRP button.

DRP 7 2 2 2
Figure: HTTP Connect & DRP

Step 2: Configure meta data, and proxy type.

Enter the configuration parameters.

  • Set a name for your DRP object in the Name box.

  • Optionally, set label key-value pairs in the Labels box.

DRP7 4 2 2 2
Figure: Proxy Type

  • In Proxy type, HTTP Connect Proxy or Dynamic Reverse Proxy has HTTP Connect Proxy and Dynamic Reverse Proxy as options.

  • Select Dynamic Reverse Proxy.

  • Enter list of Domains to be proxies.

Note: Wildcards are supported.

  • Select + Add Item to add more domains to your list.

  • Select one of the following in the Select Method to determine Destination drop-down menu:

    • SNI proxy: Destination discovered based on SNI in TLS Connections.

      • Enter Idle Timeout.
    • HTTP Proxy: Destination discovered based on Host Header in HTTP Connections.

      • Select Configure in Advanced Options.
    • HTTPS Proxy: Destination discovered based on SNI in TLS Connections and Host Headers in HTTP Connections.

      • Select Configure in Down Stream TLS Parameters.

      • Select Configure in Advanced Options.

      Note: Select Show Advanced Fields to show HTTPS proxy.

  • Select one of the following for Select DNS Masquerade for Domains drop-down menu:

    • Enable DNS Masquerade: DNS queries for proxy domains will be resolved to proxy VIP.

    • Disable DNS Masquerade: DNS queries for proxy domains will not be resolved to proxy VIP.

DRP PROXYTYPE7 6 2 2
Figure: Proxy Type

Step 3: Set sites or virtual sites for proxy.

Select sites or virtual sites where you want to install this proxy.

  • The Select Sites for Proxy drop-down menu has Sites or Virtual Sites populated by default.

DRP PROXYTYPE7 6 2 2
Figure: Sites or Virtual Sites Configuration

  • Toggle Show Advanced Fields to show Do Not Instantiate option.

Note:Do Not Instantiate is the other Site Proxy option in the drop-down menu.

DNI 2 2 2
Figure: Sites or Virtual Sites Configuration

  • Select Configure link in Site or Virtual Sites section to configure Site or Virtual Sites.

DRP PROXYTYPE7 6 2 2
Figure: Sites or Virtual Sites Configuration

  • The Custom Advertise VIP Configuration page opens.

  • Select + Add Item button.

DRP VIP7 8 2 2
Figure: Sites or Virtual Sites Custom Advertise VIP Configuration

  • Select Where to Advertise option in drop-down menu:

    • Select Site to install the proxy on a site.

    • Select Virtual Site to install the proxy on a virtual site.

  • Select one of the following options for the Site Network drop-down menu:

    • Inside and Outside Network

    • Inside Network

    • Outside Network

  • Select Virtual Site Reference or Site Reference drop-down menu option.

Note: Option dependent on Select Where to Advertise option selected.

Note: Select Virtual Site you have created, or + Create new Virtual Site with button at the bottom of pop-up menu.

  • Toggle Show Advanced Fields option to show IP Address box.

Note: IP Address box is only available when Site option is selected.

  • TCP Listen Port Choice drop-down menu populates with TCP Listen Port option by default. Use Default Listen Port option available.

  • Select the port for your DRP in TCP Listen Port box.

Note: Default is port 80 for HTTP requests or port 443 for HTTPS requests.

Note: This is the port for your HTTP Connect Proxy to listen to requests.

  • Select Add Item button.

Note: You can add more sites or virtual sites to advertise using the Add item option.

DRP VIP ADD7 8 2 2
Figure: Advertise policy configuration

  • Select Apply button.
Step 4: Set network for upstream connections.

Select which network is going to be used to discover and send the request to your final endpoint.

  • Select Upstream Network option in drop-down menu in Upstream Network section.

    • Site Local Network (Outside): Real endpoint is reachable via outside interface.

    • Site Local Network Inside: Real endpoint is reachable via inside interface.

DRP UPSTREAM7NETWORK7 8 2
Figure: Upstream Network

Step 5: Configure proxy policy.

Configure policies for this proxy. Go to Proxy Policy section, and select an option for the Manage Proxy Policy field.

Note: Proxy Policy is to establish TLS connections using certificates.

  • Select TLS Interception chioce drop-down option.

    • No TLS Interception

    • TLS Interception

    Note: Establishing TLS connections using certificates.

  • Select Manage Proxy Policies option in drop-down menu:

    • Disable proxy policy: With this option, no policies are installed on this proxy.

    • Active proxy policies: To set a policy. From the options for the Forward Proxy Policies field, select an existing forward proxy policy, or select Create new forward proxy policy to create and apply a new policy.

DRP HTTP7 5 2
Figure: Proxy Policy

Step 6: Configure Connection Timeout in Advanced Options.
  • Toggle Show Advanced Fields in Advanced Options to show Connection Timeout option.

  • Enter Connection Timeout value.

DRPCONNECTIONTIMEOUT 2
Figure: Connection Timeout

Step 7: Complete creating the DRP object.
  • Select Save and Exit button to complete creating the DRP object.

Note: You can monitor the DRP in the F5® Distributed Cloud Console. Navigate to the Virtual Hosts > HTTP Connect & DRP page in your application namespace and select on your DRP object in the displayed list of objects.


Concepts


API References