For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

zski128_101720's avatar
zski128_101720
Icon for Nimbostratus rankNimbostratus
Dec 23, 2014

Encrypting cookies for persistence profile set by iRule

Hello, I am trying to set a cookie for persistence for each of the pools my iRule will shift traffic to. I can see the cookie is set, however its not encrypted as I would expect. I am running 11.6.

Here is my setup:

ltm profile http /Common/company-http {
    app-service none
    defaults-from /Common/http
    encrypt-cookie-secret xxxxxxxxxxxxxxxxxxxxxxxxx
    encrypt-cookies { curabalance curabalance_app1 curabalance_app2 }
    oneconnect-transformations enabled
    response-chunking selective


ltm persistence cookie /Common/cura_cookie {
    app-service none
    cookie-name curabalance
    defaults-from /Common/cookie
    method insert
}
ltm persistence cookie /Common/cura_cookie_app1 {
    app-service none
    cookie-name curabalance_app1
    defaults-from /Common/cookie
    expiration 0
    method insert
    override-connection-limit disabled
}
ltm persistence cookie /Common/cura_cookie_app2 {
    app-service none
    cookie-name curabalance_app2
    defaults-from /Common/cookie
    expiration 0
    method insert
    override-connection-limit disabled



    Send traffic to the proper pool
   switch -glob $uri {
      "/approot*" -
      "/app2_apps*" -
      "/app2_html*" {
         persist cookie insert cura_cookie_app2
         pool QA_Network_app2_Pool
      }
      "/connect*" -
      "/app1*" {
         log local0. "Client: [IP::client_addr]: [HTTP::uri] access app1. "
         persist cookie insert cura_cookie_app1
         pool Stg_app1_Web_Pool
      }
      default {
         pool network.company.com.80
      }

What am I missing?

1 Reply

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 24, 2014

    this is mine.

     configuration

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product     BIG-IP
  Version     11.6.0
  Build       1.0.403
  Edition     Hotfix HF1
  Date        Sat Sep 27 09:37:19 PDT 2014

Hotfix List
ID480931-1

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    mirror enabled
    persist {
        cookie {
            default yes
        }
    }
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 12
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile http myhttp
ltm profile http myhttp {
    app-service none
    encrypt-cookie-secret $M$hh$TtjQeX/EdWOutEWt+kIZvQ==
    encrypt-cookies { cura_cookie_app1 }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  persist cookie insert cura_cookie_app1
  pool foo
}
}

 test

[root@ve11a:Active:In Sync] config  curl -I http://172.28.24.10
HTTP/1.1 200 OK
Date: Wed, 24 Dec 2014 04:29:05 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT
ETag: "41879c-59-2a9c23c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
Set-Cookie: cura_cookie_app1=!OB28Brd8x3oJ0z+nBhzG11n+lnCdUU3IrcReejbxZcpVu9loiym8hf/7yNGfxNOm+1QZWZQJQleC+Dk=; expires=Wed, 24-Dec-2014 04:47:48 GMT; path=/