Forum Discussion

Nimbostratus

Sep 22, 2007

cookie insert persistence/ https

We have a website that is managing the SSL encrption from the servers. We are getting ready to turn on Akamai service. One of the requirements is to change from source ip persistence to cookie persis...

Historic F5 Account

Sep 25, 2007

I don't think you need an iRule for this. You should be able to use a minor sleight of hand with cookie insert persistence to make it happen.

You definitely need to decrypt @ LTM to see the persistence cookie, but for cookie insert persistence to work, you would also need to use the same pool for both services since the persistence cookie is specific to the pool name.

If you don't need to re-encrypt traffic to the backend, this configuration should work for you:

pool servers_port80
  member 1.2.3.4:80
  member 1.2.3.5:80
  persist cookie insert
virtual http
  dest x.x.x.x:80
  pool servers_port80
virtual https
  dest x.x.x.x:443
  pool servers_port80
  port translation enabled
  clientssl profile

For re-encrypted traffic to the backend, this configuration should work for you:

pool servers_port0
  member 1.2.3.4:0
  member 1.2.3.5:0
  persist cookie insert
virtual http
  dest x.x.x.x:80
  pool servers_port0
virtual https
  dest x.x.x.x:443
  pool servers_port0
  clientssl profile
  serverssl profile

(This second option takes advantage of the fact that when using wildcard pool members, port translation is disabled by default, and the same destination port requested by the client is used when connecting with the server.)

HTH

/deb

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)