Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
Feb 01, 2012

Handling Persistence for HTTPS connections in a two tier security model??

Hi All,     I'm trying to determine the best way to handy persistence for HTTPS connections based on our security mode below.     We have a security model where we have a F5 in the Public ...
config
design
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Feb 02, 2012
I'm assuming the reverse proxy will pass the request and response through fairly transparently and include the LTM internal VS's persistence cookie. If that's true, then you can use that as a unique key to persist the client on the LTM external VS. Here's a bad ascii diagram and description. 

Request 1
client(1) ->VS on LTM external(2) ->Reverse Proxy(3) ->VS on LTM internal(4) ->server

Response 1
client<- (8)VS on LTM external<- (7)Reverse Proxy<- (6)VS on LTM internal<- (5)server

Request 2
client(9) ->VS on LTM external(10) ->Reverse Proxy(11) ->VS on LTM internal(12) ->server

1 - 5: client makes a new request with no persistence and server responds

6: LTM internal sets a persistence cookie for the LTM internal VS default pool member

7: LTM external iRule adds a persistence record in memory mapping the persistence cookie value from LTM internal to the LTM external VS default pool member

8: Client receives LTM internal VS cookie

9-10: Client makes new request to LTM external VS with LTM internal VS cookie. iRule persists on that cookie value to same LTM external VS default pool member

11-12: LTM internal VS persists on persistence cookie value to same LTM internal VS default pool member.

OneConnect is necessary to ensure each HTTP request is evaluated for persistence instead of once per client to TCP connection. See this article for more info:

sol7964: Persistence may fail for subsequent requests on Keep-Alive connections

http://support.f5.com/kb/en-us/solutions/public/7000/900/sol7964.html

By default, the BIG-IP performs load balancing for each TCP connection, rather than for each HTTP request. Once the initial TCP connection is load balanced, all HTTP requests seen on the same connection are sent to the same pool member. You can modify this behavior by forcing the server-side connection to detach after each HTTP request, which in turn allows a new load balancing decision according to changing persistence information in the HTTP request. You can force the server-side detachment by applying a OneConnect profile to the virtual server, or by using an iRule to explicitly detach the server-side connection after each HTTP request.

and/or this one from Deb:

OneConnect

http://devcentral.f5.com/wiki/AdvDesignConfig.OneConnect.ashx

Note that it's a lot more efficient to use OneConnect to force persistence evaluation on each HTTP request compared with using LB::detach which basically prevents serverside keepalives.

Aaron