Recommended LTM Configuration for Apache
1) Login into LTM
2) Create monitor: Local Traffic -> Monitors -> create apache-http-monitor
Type: http
Import Settings: http
Interval: 30 seconds
Timeout: 91 seconds
Send String: GET /ltmreply.html
Send String: GET /ltmreply.html
Finish
Note:
a) Recommended calculation for Timeout based on Interval value => (1:3)+1 => (30 * 3 + 1 = 90 secs
b) Send String is optional. The default is GET /. If you want to modify as above, create a page called ltmreply.html with simple content like 'web server alive' and place it in the document root folder in web server.
3) Create Pool
Local Traffic - Virtual Servers -> Pools -> Create
Name: your choice
Health Monitor: apache-http-monitor (created as above)
Slow Ramp Time: 30 secs
Finish
4) Create Pool Members
Local Traffic - Virtual Servers -> Pools -> Members
Specify web server IP address and port as 9080.
(Assume that web server listens on port 9080)
5) Create HTTP Profile
Local Traffic -> Virtual Servers -> Profiles -> Services -> HTTP -> Create New
Name: apache-http-opt
Parent Profile: http-wan-optimized-compression-caching (If not using WebAccelerator)
Redirect Rewrite: Matching (to support http to https switching)
Leave the rest to default values
Finish
6) Create TCP Profiles
a) Local Traffic -> Virtual Servers -> Profiles -> Protocol -> TCP -> Create New
Name: apache-tcp-lan
Parent Profile: tcp-lan-optimized (if Apache connect to devices on local network - server side TCP connections)
b) Local Traffic -> Virtual Servers -> Profiles -> Protocol -> TCP -> Create New
Name: apache-tcp-wan
Parent Profile: tcp-wan-optimized (if users connect to Apache from remote places - client side TCP connections)
7) Create Persistence Profiles
a) Local Traffic -> Virtual Servers -> Profiles -> Persistence -> Create New
Name: apache-cookie
Type: Cookie
b) Local Traffic -> Virtual Servers -> Profiles -> Persistence -> Create New
Name: apache-source
Type: Source Addresses Affinity
Finish
8) Create OneConnect profile (client requests can utilize existing, server-side connections - recommended to provide significant performance improvements)
Local Traffic -> Virtual Servers -> Profiles -> Other Profiles -> Create New
Name: apache-oneconnect
Type: oneconnect
9) Create Virtual Servers for HTTP traffic
Local Traffic -> Virtual Servers -> Create New
Name: your choice
Destination: Host - Provide, IP address
Service Port: 80 HTTP
Configuration: Advanced:
Type: Standard
Protocol: TCP
Protocol Profile (Client): apache-tcp-wan
Protocol Profile (Server): apache-tcp-lan
OneConnect Profile: apache-oneconnect
HTTP Profile: apache-http-opt
Finish
Navigate to created virtual server -> Resources
Default Pool: Select the pool created above
Default Persistence Profile: apache-cookie
Fallback Persistence Profile: apache-source
10) Import CA Root Certs if different than recognized CA (Your organization can even act as CA for self signed certs)
Local Traffic -> SSL Certificates -> Import ->
Import Type: Certificate
Certificate Name: Create New -> Your choice
Certificate Source : Upload File -> Upload root ca cert for your organization
Local Traffic -> SSL Certificates -> Import ->
Import Type: Certificate
Certificate Name: Create New -> Your choice
Certificate Source : Upload File -> Upload Intermediary ca cert for your organization
10) Create CSR
Local Traffic -> SSL Certificates -> Create
Provide Name, Issuer: Certificate Authority and other details
Download the CSR
Finish
You will see a key record created under SSL certificates
11) Certificate Authorization
Login to the Microsoft Certificate Server
Request a certificate -> Advanced Certificate Request -> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Certificate Request: Browse & insert the CSR file created above
Certificate Template: Web Server
Attributes: san:dns=www.mydomain.com&dns=secure.mydomain.com
(Attributes parameter is like an alias so one cert can be used for multiple domains)
Submit
Download and save the certificate.
Open the certificate -> Go to Details tab -> Subject Alternative Name
Check for Alias
12) Import SSL certificate into LTM
Local Traffic -> SSL Certificates -> Navigate to the CSR/Key created in the above.
Upload the Cert and Import
13) Create an Client SSL Profile
Local Traffic -> Virtual Servers -> Profiles -> SSL -> Create New
Name: your choice
Certificate: As created or imported above
Key: As created or imported above
Chain: Your company's Chain cert imported above
Trusted CA: Your company's CA cert imported above
Finish
14) Create Virtual Servers for HTTPS traffic
Local Traffic -> Virtual Servers -> Create New
Name: your choice
Destination: Host - Provide, IP address
Service Port: 443 HTTPS
Configuration: Advanced:
Type: Standard
Protocol: TCP
Protocol Profile (Client): apache-tcp-wan
Protocol Profile (Server): apache-tcp-lan
OneConnect Profile: apache-oneconnect
HTTP Profile: apache-http-opt
SSL Profile (Client): Select the clienssl profile created above
Finish
Navigate to created virtual server -> Resources
Default Pool: Select the http pool created above
Default Persistence Profile: apache-cookie
Fallback Persistence Profile: apache-source
Reference: F5 deployment guide: Deploying F5 with Apache Web Servers
2 Comments:
Hello, I do not agree with the previous commentator - not so simple
How can I help you in implementing this configuration?
Post a Comment
Subscribe to Post Comments [Atom]
<< Home