Is this a bad idea...

Hi guys

 

Curious on your thoughts on this please?

 

 

We traditionally have a setup where we may have web application servers and database servers in our corporate network.

 

 

We would also have reverse proxy software applications sitting in our DMZ, using something like Oracle WebCache or Apache with mod_proxy on a WinTel server.

 

 

Often we would have fail over pair reverse proxies, and a BigIP LTM sitting infront of them.

 

 

I have suggested that we could actually save a lot of money and resource by eliminating the reverse proxy wintel servers and having the BigIP VIP performing the same function.

 

 

We can utilise network side scripting with iRules to ensure only the correct URI's are accessed, that sort of thing. And firewall wise, there is a front firewall between the BigIP and the Internet, and another between the BigIP and the internal application server.

 

 

I see no real reason to have the WinTel boxes.

 

 

We don't currently use ASM sadly, so relying on the protection given by the firewalls, the irules on the VIP itself (locks down URI's to only a given few, ensure no javascript in query strings etc etc). And obviously, hopefully the web applications are written well enough not to be too easy to cause problems.

 

 

But I admit to wondering if this is a little too maverick? Thoughts/slaps?