Skip to content

nergalex/f5-sslo-category

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits

consul_manual_install

consul_manual_install

 
 

image

image

 
 

playbooks

playbooks

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Summary

Use Case

  • Web Proxy: Protect consumption of URLs from Application servers by using a Web Proxy F5 BIG-IP SSL Orchestrator
  • Authentication: SSLO acts as an explicit Proxy to authenticate servers by using a service account. Application's service account is verified by SSLO from an AAA server (local DB, LDAP server, Azure ADFS...) and its belonging server's group is also retrieved
  • Authorization: SSLO allows a list of URLs per server group, based on the service account used to connect
  • Automation: automate changes on SSLO via BIG-IP API
  1. Create a subscription: Authorize a new server group to access to Internet limited to a default allowed URL list
  2. Update >> Add allow URL: Authorize an existing server group to access to new URLs
  3. Update >> Remove allow URL: Remove allowed URLs for an existing server group
  4. Delete a subscription: Remove an authorized server group to access to Internet
  • Source of Truth: INPUT form issued from changes are stored in an Highly Available "Source of Truth" system.

Demo

demo

Benefit

  • Resiliency: Miminal data (subscription's service account, URL allowed list) are stored in a Highly Available "Source of Truth" system through a multi-region/multi-cloud environment.
  • Time to market: To be more reliable and faster in your Service Request deployment, changes on a Custom URL Category can be automated.
  • Reliable: "Source of Truth" (Control Plane) can be used by a Ticketing system or a Cloud Management Platform to retrieve current configuration, displayed to end-users before requesting a change, in spite of impacting Data Plane devices.

Eco-system

Proof of Concept

This configuration was done for a POC, do not use it as-is in a Production environment, call F5 Professional Services to validate your design.

Install Guide

SSL Orchestrator

Authentication policy

LDAP server

For LDAP server, Azure ADDS authentication

  • Create and populate a ldap server

alt text

  • Create a Per Session Policy

alt text

  • Add a LDAP Auth box

alt text

  • Add a LDAP Query box

alt text

local DB

For local DB authentication

  • Create and populate a local DB

alt text

  • Create a Per Session Policy

alt text

  • Add a Local Database box

alt text

Explicit Forward Proxy Topology

  • Create an Explicit Forward Proxy Topology as described in this guide alt text

  • Specify Authentication policy previously created

alt text

  • Create a Security Policy. Create a rule to intercept traffic - and forward it to a Security Service Chain as needed - for a specific category detected Category Lookup (All). Another way is to use an existing Security Policy (Per Request Policy).

alt text

  • If a Security policy was created previously, unlock it in order to modify the Per Request Policy object.
  • Edit the Per Request Policy object

alt text

  • Rename the empty box "Category Branching" as desired, User Group and Category Branching for example.
  • Rename the Pass branch with a unique name, User Group and Category Matched for example. The playbook will look to this unique name in order to update the branch condition.
  • NOTE: if LDAP authentication is used, please replace session.custom.user_group with session.ldap.last.attr.memberOf in sslo_prp_box.json template

alt text

  • Lookup for this empty box in BIG-IP REST UI https://myhostname/mgmt/toc

alt text

alt text

Ansible (Tower)

Create a virtualenv, follow Tower admin guide. Install ansible version >= 2.9

$ sudo yum groupinstall -y "development tools"
$ sudo virtualenv /var/lib/awx/venv/my_env
$ sudo /var/lib/awx/venv/my_env/bin/pip install python-memcached psutil python-consul requests
$ sudo /var/lib/awx/venv/my_env/bin/pip install -U ansible

Ensure that your virtualenv have the rights 755, else:

$ chmod 755 -R /var/lib/awx/venv/my_env

Consul

Install guide

data-group playbooks

Job Templates

Create and launch a job template that include each of those playbooks:

Job template playbook activity inventory limit credential
poc-f5_sslo-subscription_create playbooks/poc-f5.yaml sslo-subscription_create localhost localhost none
poc-f5_sslo-data_group-add_url playbooks/poc-f5.yaml sslo-data_group-add_url localhost localhost none
poc-f5_sslo-data_group-remove_url playbooks/poc-f5.yaml sslo-data_group-remove_url localhost localhost none
poc-f5_sslo-subscription_delete playbooks/poc-f5.yaml sslo-subscription_delete localhost localhost none

Survey

A survey is the change form, i.e. an INPUT form for extra variables requested to end user.

Job template extra variable
poc-f5_sslo-subscription_create extra_subscription_name, extra_service_account
poc-f5_sslo-data_group-add_url extra_subscription_name, extra_allow_urls
poc-f5_sslo-data_group-remove_url extra_subscription_name, extra_allow_urls
poc-f5_sslo-subscription_delete extra_subscription_name

Extra variables

Extra variable Description Example of value
activity Refer to Job template above definition url_category-add_url
extra_admin_user BIG IP admin username admin
extra_admin_password BIG-IP admin password Ch4ngeMe!
extra_ip_mgt BIG-IP management IP 10.228.234.11
extra_port_mgt BIG-IP management IP 443
extra_consul_path_source_of_truth Consul Source of Truth path poc_f5/outbound/sslo/subscriptions
extra_consul_agent_scheme Consul scheme access http
extra_consul_agent_ip Consul agent "client" IP to use 10.100.0.60
extra_consul_agent_port Consul agent "client" port to use 8500
extra_consul_datacenter Consul DC to store key/value pop
extra_sslo_branch_id Unique Branch ID to update User Group and Category Matched

URL Category playbooks

Use of custom URL category have performance impacts, technical recommendation bellow must be taken in consideration.

  • glob-match URL type: Custom categories consume CPU just by existing, categories with glob-match patterns doubly so. Try to avoid glob-match categories if you can.
  • max URLs: if a custom URL category start to exceed 200 URLs, consider switching to a data group design

Job Templates

Create and launch a job template that include each of those playbooks:

Job template playbook activity inventory limit credential
poc-f5_url_category-add_url playbooks/poc-f5.yaml url_category-add_url localhost localhost none
poc-f5_url_category-remove_url playbooks/poc-f5.yaml url_category-remove_url localhost localhost none
poc-f5_url_category-rollback_category playbooks/poc-f5.yaml url_category-rollback_category localhost localhost none

Extra variables

Extra variable Description Example of value
activity Refer to Job template above definition url_category-add_url
extra_admin_user BIG IP admin username admin
extra_admin_password BIG-IP admin password Ch4ngeMe!
extra_ip_mgt BIG-IP management IP 10.228.234.11
extra_port_mgt BIG-IP management IP 443
extra_category Custom URL category to update custom_cat_a
extra_url_name Custom URL to add or remove *www.test7.com*
extra_url_type Custom URL type associated to the URL to add or remove glob-match
extra_consul_path_backup Consul backup path poc_f5/outbound/sslo/custom_category/pre-mep
extra_consul_path_source_of_truth Consul Source of Truth path poc_f5/outbound/sslo/custom_category/current
extra_consul_agent_scheme Consul scheme access http
extra_consul_agent_ip Consul agent "client" IP to use 10.0.0.20
extra_consul_agent_port Consul agent "client" port to use 8500
extra_consul_datacenter Consul DC to store key/value 8500

About

Automate your Web Proxy with F5 SSLO

Topics

ansible ansible-playbook consul ansible-role f5networks sslo

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages