Follow

INITIAL Configuration: New Application Proxy for HTTP / HTTPS / WAF Proxy Service Type

Description

This article is for:

  • Silverline WAF Services customers that want to deploy a web application, and add WAF policy to it
  • Silverline DDoS Protection customers that want to deploy an HTTP / HTTPS Application Proxy, and add DDoS protection
  • Silverline DDoS Protection customers that are also Silverline WAF Services customers and want to deploy a web application to add WAF Policies to it
  • Customers that want to use the new Regional PoPs feature

If you are a Silverline DDoS Protection customer and want to deploy an TCP, UDP, or DNS Proxy, (or use IPV6 front end) see TCP / UDP / DNS Proxy Configuration article.

 

Environment

  • Silverline DDoS Protection
  • Silverline WAF
  • Proxy/Proxies
    • HTTP/ HTTPS / WAF Proxy Service Type
  • Regional PoPs (click to jump to Reg PoPs section)
  • Shape Defense

 

Procedure

Requirements for Application Proxies (HTTP/HTTPS/WAF Proxy)

The following information is required for successful application proxy configuration.

  • Application Display Name - Name for identifying the application proxy. This name will appear on the Proxy / App Management page.­­
  • Domain Name (FQDN) - This is the URL of the protected site. Multiple URLs can leverage the same VIP, as with any web server.
  • Backend IP / DNS Name - This is the IP or DNS Name of your web server or load balancer. F5 Silverline provides Frontend IPs or Assigned DNS Names automatically. Up to 5 ports can be configured on the same frontend/backend IP pair configuration.
  • Backend Port - This is the port that is leveraged by your Backend IP / DNS Name. This will almost always be HTTP (80) and HTTPS (443). Multiple backends can be defined, as well as ability to select load-balancing methods. FQDN or DNS-named backends can be defined as well.
  • Frontend Port – This is the desired Port open on your F5 Silverline application proxy. This is where traffic will enter the Silverline platform. This will almost always be HTTP (80) and HTTPS (443).
  • HTTP Redirect -- WAF proxies come equipped by default with a Redirect function on HTTP (80), which then directs the client to retry the request to HTTPS (443). This is the HTTP Redirect function. The default ‘HTTP Redirect’ response code is 302 but there is also an option to enable a response code of 301.
  • SSL Certs - Required for SSL / HTTPS Application Proxy. Upload SSL certificates and create SSL Profiles before adding and configuring SSL / HTTPS Application Proxies. Follow directions on: SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy

 

Configuration Steps 


1. In the Portal, navigate to
Config > Proxy / App Configuration > Proxy / App Management 

2. Click the +Add button to add a new Application Proxy.

  • WAF Customers – skip to Step 3
  • DDoS Protection Customers -- From the drop-down choose HTTP / HTTPS.
  • Troubleshooting: I don't see an Add button?

    If you don't see an Add button, this means that you've used all of your contracted FQDNs. Contact your Silverline Sales representative if you need more FQDNs.

 

3. Configure Front End FQDN.

  • New Application defaults to Front and Back End configuration page.
    • New_Application_-_Front_and_Back_End.png
  • Fill in the following fields (descriptions below image):

Screen_Shot_2021-05-07_at_8.38.41_PM.png

Field

Description

Notes

Display Name

Name for identifying the application proxy. This name will appear on the Proxy / App Management page.

Requirements: Limit of 64 characters

Allowed: Any valid lowercase letters, numbers, and periods.

Not Allowed: Capital letters, and ending name in a period.

Suggested: Typically FQDN-related and unique names are used.

Note: If names are not unique, then some of reporting functions will aggregate data for proxies with the same name. Stats for Web Traffic, SSL, and Proxy can not differentiate between different proxies with the same name.

 

Assigned DNS Name

F5 Silverline automatically provides unique DNS address. Such as p34d7df.acmecorp.gslb.f5silverline.com

 

After application proxy is configured, you will have your application’s FQDN point to the provided Silverline “Assigned DNS Name”.

Then your application traffic will flow thru the Silverline infrastructure before going to your applications.

 

Application Enabled

Toggle button to either enable or disable the application proxy

Why would you disable a proxy? Common reasons are…

  • making changes on the backend server
  • no longer require application to process traffic but you want to reserve frontend DNS address for future use

 

Fully Qualified Domain Name (FQDN)

 

Your application’s FQDN that is exposed to the open internet.

After application proxy is configured, you will have your application’s FQDN point to the provided Silverline “Assigned DNS Name”.

Then your application traffic will flow thru the Silverline infrastructure before going to your applications.

SSL Profile

SSL Profile attached to FQDN

See INITIAL SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy

View Profile

Button that opens the SSL Profile's editing page.

Same as "View Profile" button on Certificates tab -- How To Configure Certificates (HTTPS Proxy)

Note

Any notes for you or your team on this proxy.

 

Tags

Start typing and choose from existing tags. Or type out new tag and hit enter to save.

More details on tags in Using Tags with Roles Based Access Control (RBAC)

 

 

4. Configure Back End Server IPs or FQDNs.

  • Fill in the following fields (descriptions below image):

Screen_Shot_2021-05-07_at_8.38.49_PM.png

Field

Description

Notes

Back End IP or DNS Name

Enter the IP address or DNS name for your back-end server.  DNS names are resolved at the point of entry and must be valid.

If a DNS Name (FQDN) is entered:

  • Silverline will query for DNS resolution every 60 seconds
  • Backend IP pool members will update 4 times within a 60 minute period.

Scrubbing Centers

Turn On  / Off which Silverline data centers are available to each back-end server.

  • Recommended: enable at least 2 different data centers in order to increase resiliency.
  • Most customers choose to enable ALL data centers for the greatest resiliency, availability and response times. 
  • Example of why you wouldn’t enable all scrubbing centers: Multiple back-end servers in different countries and you wish to force Silverline to use the closest data center for each back-end server.

Regional PoPs

Turn On / Off which Silverline Regional PoPs are available to each back end server.

*** Must also choose at least 2 Scrubbing Centers.*** 

For more information on Regional PoPs, see:

+ Add Button

Back_End_Add.png

Add additional Back End servers.

If you have selected Priority Group Activation (PGA) as your Load Balancing Method under the Advanced tab, connections are first distributed to the first back-end server (highest priority) listed. If the first backend server fails, traffic is directed to the second backend server in the list. See Proxy / Application Configuration Option: Advanced for more information

 

5. Choose Services.

Screen_Shot_2020-08-28_at_10.28.36_AM.png

Service

Description

Default?

HTTP Redirect

Basic redirect to HTTPS. Use for basic redirection to the SSL service.

Performs a 302 redirect from http://site.com to https://site.com.

This service type provides more protection than sending port 80 traffic to the backend servers just to do a redirect.

 

Default for HTTP/HTTPS*

HTTPS Service

SSL Proxy virtual server with the ability to understand HTTP communication traffic.

A cert and key is required. --Upload SSL certificates and create SSL Profiles before adding and configuring SSL / HTTPS Application Proxies. Follow directions on: SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy

The default that should be used for any encrypted web service.   

Supports XFF Header insertion.

Note: This Service is where you configure Shape Defense.

Default for HTTP/HTTPS*

HTTP Service

Proxy virtual server with the ability to understand HTTP communication traffic.

The default that should be used for any non-encrypted web service.  

Supports XFF Header insertion.

Choose from + Other Services menu

WAF Proxy

Some "classic" proxies will show this older option for WAF customers. 

If you have the WAF Proxy service available, you don't need to add additional HTTP or SSL HTTP service.

 

* To remove an added service, click the X to the left of the service.

Delete_Service.png

 

6. Configure Services.

  1. Click on a Service in the left-hand column (A), and the corresponding Configuration Options (B) appear to the right. Details on each Configuration Option in links below image.
    • Configure-Services_Annotated.png
  2. HTTP Redirect
  3. HTTPS
  4. HTTP Service
  1. Save and Deploy
    1. Once all configurations are set, click Save in the bottom-right.
    2. If this takes you back to the list of apps / proxies, either click the name of the application proxy you just created, or click the Edit (pencil icon) button on the right.
  2. Test and Verify Your Application Proxies
  3. Configure On-Premises Setup

 

Related Content

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request