For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

lori_54451's avatar
lori_54451
Icon for Nimbostratus rankNimbostratus
Sep 22, 2007

cookie insert persistence/ https

We have a website that is managing the SSL encrption from the servers. We are getting ready to turn on Akamai service. One of the requirements is to change from source ip persistence to cookie persis...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Sep 25, 2007
I don't think you need an iRule for this. You should be able to use a minor sleight of hand with cookie insert persistence to make it happen.

You definitely need to decrypt @ LTM to see the persistence cookie, but for cookie insert persistence to work, you would also need to use the same pool for both services since the persistence cookie is specific to the pool name.

If you don't need to re-encrypt traffic to the backend, this configuration should work for you:

pool servers_port80
  member 1.2.3.4:80
  member 1.2.3.5:80
  persist cookie insert
virtual http
  dest x.x.x.x:80
  pool servers_port80
virtual https
  dest x.x.x.x:443
  pool servers_port80
  port translation enabled
  clientssl profile

For re-encrypted traffic to the backend, this configuration should work for you:
pool servers_port0
  member 1.2.3.4:0
  member 1.2.3.5:0
  persist cookie insert
virtual http
  dest x.x.x.x:80
  pool servers_port0
virtual https
  dest x.x.x.x:443
  pool servers_port0
  clientssl profile
  serverssl profile
(This second option takes advantage of the fact that when using wildcard pool members, port translation is disabled by default, and the same destination port requested by the client is used when connecting with the server.)

HTH

/deb