You probably have heard of vips or virtual ip addresses if you’ve been exposed to F5 products. You may have heard the terms proxy or reverse proxy as well. If your not sure how vips work or what a reverse proxy is then this article can help. We will examine the F5 reverse proxy architecture in depth and provide some visual aids I created.
What is a reverse-proxy?
To understand what a reverse proxy is and how it relates to the F5 proxy architecture, you must understand what a traditional proxy is. A proxy is an aggregation point where traffic to multiple destinations is sent through for a number of reasons, but mainly for security and natting.
A home network is a prime example of how a proxy operates. In order to reach the internet, your device must send the traffic to it’s default gateway which is typically the router provided by your ISP.
That router is configured to PAT or Port Overload when connecting to the internet. All devices behind your router appear as the public ip address that it received on it’s outside interface from your ISP’s DHCP servers.
A reverse proxy would be the reverse of a normal proxy. It is typically a destination or endpoint that users connect too that in turn distributes the request among-st a group of servers. The server selected will then respond to the proxy and the proxy responds to the client, full-filling the request.
Below is a more specific example. In this example, you have user A who makes a http request to example.com. Example.com resolves to ip address 220.127.116.11 and is a reverse proxy.
The users request reaches the reverse proxy and then is load-balanced to Server A at ip address 192.168.0.100. The server responds back to the reverse proxy, and then the reverse proxy responds to the client. The client makes another request to the same url.
This time the request is load-balanced to Server B at ip address 192.168.0.200 which is an exact replica of Server A. The response takes the same path back to the client.
So really a reverse-proxy functions similar to a traditional proxy but is typically an endpoint on a remote network. A reverse proxy is used for high availability and load-balancing, while a normal proxy is typically used for security reasons.
What is the difference between a reverse-proxy and a full-layer proxy?
A full-layer proxy can be both a reverse-proxy or a traditional forward proxy (many forward and reverse proxies are full-layer). Full-layer means that there is a separate tcp (full-layer proxies are mostly tcp traffic) connection between a client and the proxy and an additional connection between the proxy and the requested resource.
It is referred to as a full-layer because the proxy could potentially have visibility of the application layer. It’s basically man-in-the-middling traffic between clients and servers.
The BigIP can be configured to inspect or even modify application traffic when configured as a full-proxy. For example, you can configure the F5 to send http requests to different backend pools based on http headers in http requests.
Also, the BigIP can also be configured to terminate or proxy ssl when setup as a full proxy. These are just a few examples of what you can do with a full-layer proxy.
Older load-balancers did not always follow this proxy architecture and were typically transparent meaning they acted as a layer-2 bridge. This change in architecture allowed the BigIP to thrive and outcompete older platforms. Most if not all other vendors follow the same architecture as F5 at this point.
Below is a more detailed diagram that showing the comparison of a full-layer proxy with a non-full-layer proxy.
Most BigIP virtual-servers or vips are full-layer proxies. I mentioned that a full-layer proxy has two separate connection. This is referred to on the BigIP as the client-side connection and the server-side connection.
As the name implies, the client-side connection is the connection between a vip and the client. An example client would be a user on the internet browsing a web site. The server-side connection is the connection between the BigIP and the selected server. This could be a web server, ftp server, mail server, or any other type of load-balanced application.
As self explanatory as it seems, its critical to understanding the F5 proxy architecture. For example, you can configure different protocol settings for the client side connection and the server side connection.
The connection table is laid out with corresponding client/server side connections as well. Another great example that requires your understanding of the full proxy architecture is the usage of a one-connect profile. One-Connect allows server-side connections to be re-used for other clients.
In conclusion, the F5 reverse proxy architecture is a full-layer reverse proxy. The main purpose of the full-layer architecture is to allow for optimization of protocol and application traffic.
Understanding these concepts is also critical to effective troubleshooting and can lead to misunderstandings if not well understood. If this still doesn’t make sense then try reading this article on reverse proxy by Cloudflare. I hope you enjoyed this article and please leave any feedback in the comments below.
If your interested in F5 then read more posts here!