Skip to content
Origin Server

Integrate

F5 XC Origin Pool Integration

Section titled “F5 XC Origin Pool Integration”

This origin server is designed to be used as an origin pool member behind an F5 Distributed Cloud HTTP load balancer. The F5 XC platform provides WAF, Bot Defense, API Security, and Client-Side Defense in front of this origin.

Architecture

Section titled “Architecture”
End User -> F5 XC HTTP LB (WAF/Bot/API/CSD) -> Origin Server VM (nginx -> Docker apps)

Origin Pool Configuration

Section titled “Origin Pool Configuration”

Create an F5 XC origin pool pointing to this VM’s public IP:

SettingValue
Origin Server TypePublic IP of Origin Server
IP Address<terraform output public_ip>
Port80
Health CheckHTTP, path /health

HTTP Load Balancer Configuration

Section titled “HTTP Load Balancer Configuration”

Create an HTTP load balancer with the origin pool:

SettingValue
DomainsYour demo domain (e.g., demo.example.com)
Origin PoolThe pool created above
WAFAttach your WAF policy
Bot DefenseEnable as needed
API DiscoveryEnable for VAmPI endpoints

Path-Based Routing

Section titled “Path-Based Routing”

Each application is accessible via its path prefix through the load balancer:

F5 XC LB URLOrigin PathApplication
https://demo.example.com/juice-shop//juice-shop/Juice Shop (4 instances, cookie sticky)
https://demo.example.com/dvwa//dvwa/DVWA (4 instances + MariaDB, cookie sticky)
https://demo.example.com/vampi//vampi/VAmPI (4 instances, ip_hash sticky)
https://demo.example.com/httpbin//httpbin/httpbin (4 instances, round-robin)
https://demo.example.com/whoami//whoami/Request diagnostics (4 instances)
https://demo.example.com/csd-demo//csd-demo/CSD Demo (4 instances, ip_hash sticky)
https://demo.example.com/dvga//dvga/DVGA (4 instances, ip_hash sticky)
https://demo.example.com/restaurant//restaurant/RESTaurant (4 instances, round-robin)
https://demo.example.com/health/healthHealth check (nginx direct)

Verify F5 XC Header Injection

Section titled “Verify F5 XC Header Injection”

Use the whoami endpoint to verify what headers F5 XC injects into requests reaching the origin:

Terminal window
LB_DOMAIN="demo.example.com"


curl -sk "https://${LB_DOMAIN}/whoami/"

Look for these F5 XC injected headers in the response:

HeaderMeaning
X-Forwarded-ForClient IP chain through F5 XC
True-Client-IPOriginal client IP
X-Forwarded-Protohttps if TLS terminates at F5 XC
X-Volterra-Bot-TypeBot classification (when Bot Defense is enabled)
X-Request-IDF5 XC request tracking ID

WAF Testing Through F5 XC

Section titled “WAF Testing Through F5 XC”

With a WAF policy attached to the HTTP load balancer, test attack payloads:

Terminal window
LB_DOMAIN="demo.example.com"


# SQL Injection (should be blocked by WAF)
curl -sk "https://${LB_DOMAIN}/dvwa/vulnerabilities/sqli/?id=%27+OR+1%3D1--&Submit=Submit"


# XSS (should be blocked by WAF)
curl -sk "https://${LB_DOMAIN}/juice-shop/rest/products/search?q=<script>alert(1)</script>"


# Command Injection (should be blocked by WAF)
curl -sk "https://${LB_DOMAIN}/dvwa/vulnerabilities/exec/" \
  -d "ip=127.0.0.1;cat+/etc/passwd&Submit=Submit"


# Normal request (should pass through)
curl -sk "https://${LB_DOMAIN}/httpbin/get" | jq .

API Security Testing

Section titled “API Security Testing”

Enable API Discovery on the HTTP load balancer to map VAmPI’s API endpoints:

Terminal window
# These requests build the API inventory in F5 XC
curl -sk "https://${LB_DOMAIN}/vampi/users/v1"
curl -sk -X POST "https://${LB_DOMAIN}/vampi/users/v1/register" \
  -H "Content-Type: application/json" \
  -d '{"username":"apitest","password":"test123","email":"api@test.com"}'
curl -sk -X POST "https://${LB_DOMAIN}/vampi/users/v1/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"apitest","password":"test123"}'

crAPI Integration (Port 8888)

Section titled “crAPI Integration (Port 8888)”

crAPI runs on a dedicated port (8888) because it is a single-page application that hardcodes its API paths and cannot be served behind a path prefix. To integrate crAPI with F5 XC:

SettingValue
Origin Server TypePublic IP of Origin Server
IP Address<terraform output public_ip>
Port8888
Health CheckHTTP, path /

Create a separate origin pool for crAPI on port 8888, or add a second origin pool member to your existing pool with port 8888 and use route rules to direct traffic:

Terminal window
# Test crAPI through F5 XC (if configured)
curl -sk "https://${LB_DOMAIN}:8888/"


# Or if using route rules on the same LB domain:
# Configure an F5 XC route rule matching Host header or path prefix
# to forward to the crAPI origin pool (port 8888)

Sticky Session Awareness

Section titled “Sticky Session Awareness”

The origin server uses nginx sticky sessions internally to route stateful applications to consistent backend containers. When configuring the F5 XC HTTP load balancer, be aware:

ApplicationSticky MethodWhy
Juice Shophash $cookie_tokenNode.js session state
DVWAhash $cookie_PHPSESSIDPHP session state
VAmPIip_hashSQLite database per instance
CSD Demoip_hashIn-memory exfil log per instance
DVGAip_hashSQLite database per instance
RESTaurantRound-robinShared PostgreSQL backend
crAPI— (single port 8888)7 microservices, PostgreSQL + MongoDB
httpbinRound-robinStateless
whoamiRound-robinStateless

F5 XC does not need to replicate these sticky sessions — nginx on the origin VM handles the backend routing. F5 XC should treat the origin as a single endpoint (the VM’s public IP on port 80).

Multi-Component Architecture

Section titled “Multi-Component Architecture”

When combined with the CDN Simulator, the full lab architecture is:

End User -> CDN Simulator (nginx cache) -> F5 XC HTTP LB -> Origin Server (this component)

The CDN Simulator uses the F5 XC HTTP load balancer VIP as its origin, and the F5 XC load balancer uses this origin server as its backend. This creates a realistic multi-layer architecture for comprehensive testing.