WAF as a LB

Home‎ > ‎Barracuda‎ > ‎

WAF as a LB

Contents

1 Overview:
2 Create A Cert:
1. 2.1 Self Cert:
3 Basic Pools:
4 Advanced Features:
1. 4.1 Disabling Source SNAT:

Overview:

Create A Cert:

Before you can create a SSL Pool, you need to have a HTTPS cert.

Self Cert:

In the Basic Tab, under Certificates, go to the Certificate Generation section and select the Create Certificate button.

Then fill out the Certificate Generation form, and select the Generate Certificate button.

When this is complete, the cert will be displayed in the Saved Certificates section of the Certificates sub-tab.

Basic Pools:

Add First VIP & Real:

Under the Basic Tab, under the Services sub-tab, create a new VIP. First create a vip with only the first real.

Service Name: a name to remember the vip by
Type: What protocol to pass
VIP: the VIP ip
Port: the VIP's port
Real Servers: the physical boxes associated to the pool
Certificate: choose one of the certs stored in the Basic:Certificates tab

Additional Reals:

Once the first vip->real is installed, you can easily tack on more reals by selecting the vip, and pressing (1) the add Server button.

The Add Real Server allows you to not only define a server, but also it's Server Name.

Modify Reals:

You can go back to the original server, and select it in the Services Section, and select (1) Edit in the options column so that you can add a Server Name as well. .

This will bring you to a more advanced Server Configuration page. Here you can modify the (1) servers listener port, and under SSL (Server), you can specify if the server will (2) use ssl over its port or not and if it needs to worry if the cert on the server is valid.

Duplicating Pools

Once you have setup one vip and reals with all the proper settings, you can simply duplicate this and then change the server names and IP's. You would do this by selecting the VIP's check box(1), and then in the More Actions (2) pulldown, select Copy Service.

This will pull up the Copy Service window, where you can rename the VIP, IP and Port, and then press the Paste button to submit the changes.

The use the "Modifying Reals" section above to change the Names and IPs of the Reals as needed.

VIP URI Redirection:

7.4 URI Redirection: The process for doing this with 7.4 firmware.

In the VIP's Add column, by selecting the (1) Rule button, you can specify what kinds of traffic is allowed to go to this VIP.

By adding a value into the URI Match field, you match only specific uri's to this pool, that way you can setup different servers for different uri's.

Advanced Features:

Disabling Source SNAT:

By default, all inbound traffic going through the WAF has its headers rewritten such that the source address is the WAF and not the actual source.

This prevents back end servers from seeing who actually sent the packet without using Xforwarder headers. (if you want to use Xforwarding, see HOWTO: Log Client IP AND X-Forwarded-For IP in Apache.)

To remove Source Address NAT (SNAT), or "Client Impersonation" in barracuda-speak, such that the webservers see unmolested source headers, under the Basic tab, under Services, add the expert tag in the URI, by appending the following to the current url:

&expert=1

Then Edit each server

And at the bottom of the page, under Server (Advanced Configuration) set the following:

Max Keepalive Requests: 1
Client Impersonation: Yes

Subpages (1): 7.4 URI Redirection

Comments

net	Search this site