Sunday, 4 August 2019

Recommanded LTM configuration for Apache

1) Login into LTM
2) Create monitor: Local Traffic -> Monitors -> create apache-http-monitor
Type: http
Import Settings: http
Interval: 30 seconds
Timeout: 91 seconds
Send String: GET /ltmreply.html 
Finish

Note:
a) Recommended calculation for Timeout based on Interval value => (1:3)+1 => (30 * 3 + 1 = 90 secs
b) Send String is optional. The default is GET /. If you want to modify as above, create a page called ltmreply.html with simple content like 'web server alive' and place it in the document root folder in web server.

3) Create Pool
Local Traffic - Virtual Servers -> Pools -> Create
Name: your choice
Health Monitor: apache-http-monitor (created as above)
Slow Ramp Time: 30 secs
Finish

4) Create Pool Members
Local Traffic - Virtual Servers -> Pools -> Members
Specify web server IP address and port as 9080.
(Assume that web server listens on port 9080)

5) Create HTTP Profile
Local Traffic -> Virtual Servers -> Profiles -> Services -> HTTP -> Create New
Name: apache-http-opt
Parent Profile: http-wan-optimized-compression-caching (If not using WebAccelerator)
Redirect Rewrite: Matching (to support http to https switching)
Leave the rest to default values
Finish

6) Create TCP Profiles
a) Local Traffic -> Virtual Servers -> Profiles -> Protocol -> TCP -> Create New
Name: apache-tcp-lan
Parent Profile: tcp-lan-optimized (if Apache connect to devices on local network - server side TCP connections)

b) Local Traffic -> Virtual Servers -> Profiles -> Protocol -> TCP -> Create New
Name: apache-tcp-wan
Parent Profile: tcp-wan-optimized (if users connect to Apache from remote places - client side TCP connections)

7) Create Persistence Profiles
a) Local Traffic -> Virtual Servers -> Profiles -> Persistence -> Create New
Name: apache-cookie
Type: Cookie

b) Local Traffic -> Virtual Servers -> Profiles -> Persistence -> Create New
Name: apache-source
Type: Source Addresses Affinity
Finish

8) Create OneConnect profile (client requests can utilize existing, server-side connections - recommended to provide significant performance improvements)
Local Traffic -> Virtual Servers -> Profiles -> Other Profiles -> Create New
Name: apache-oneconnect
Type: oneconnect

9) Create Virtual Servers for HTTP traffic
Local Traffic -> Virtual Servers -> Create New
Name: your choice
Destination: Host - Provide, IP address
Service Port: 80 HTTP
Configuration: Advanced:
Type: Standard
Protocol: TCP
Protocol Profile (Client): apache-tcp-wan
Protocol Profile (Server): apache-tcp-lan
OneConnect Profile: apache-oneconnect
HTTP Profile: apache-http-opt
Finish

Navigate to created virtual server -> Resources
Default Pool: Select the pool created above
Default Persistence Profile: apache-cookie
Fallback Persistence Profile: apache-source

10) Import CA Root Certs if different than recognized CA (Your organization can even act as CA for self signed certs)
Local Traffic -> SSL Certificates -> Import ->
Import Type: Certificate
Certificate Name: Create New -> Your choice
Certificate Source : Upload File -> Upload root ca cert for your organization

Local Traffic -> SSL Certificates -> Import ->
Import Type: Certificate
Certificate Name: Create New -> Your choice
Certificate Source : Upload File -> Upload Intermediary ca cert for your organization

10) Create CSR
Local Traffic -> SSL Certificates -> Create
Provide Name, Issuer: Certificate Authority and other details
Download the CSR
Finish
You will see a key record created under SSL certificates

11) Certificate Authorization

Login to the Microsoft Certificate Server
Request a certificate -> Advanced Certificate Request -> Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Certificate Request: Browse & insert the CSR file created above
Certificate Template: Web Server
Attributes: san:dns=www.mydomain.com&dns=secure.mydomain.com
(Attributes parameter is like an alias so one cert can be used for multiple domains)
Submit

Download and save the certificate.
Open the certificate -> Go to Details tab -> Subject Alternative Name
Check for Alias

12) Import SSL certificate into LTM
Local Traffic -> SSL Certificates -> Navigate to the CSR/Key created in the above.
Upload the Cert and Import

13) Create an Client SSL Profile
Local Traffic -> Virtual Servers -> Profiles -> SSL -> Create New
Name: your choice
Certificate: As created or imported above
Key: As created or imported above
Chain: Your company's Chain cert imported above
Trusted CA: Your company's CA cert imported above
Finish

14) Create Virtual Servers for HTTPS traffic
Local Traffic -> Virtual Servers -> Create New
Name: your choice
Destination: Host - Provide, IP address
Service Port: 443 HTTPS
Configuration: Advanced:
Type: Standard
Protocol: TCP
Protocol Profile (Client): apache-tcp-wan
Protocol Profile (Server): apache-tcp-lan
OneConnect Profile: apache-oneconnect
HTTP Profile: apache-http-opt
SSL Profile (Client): Select the clienssl profile created above
Finish



No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...