For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Derik_H__175358's avatar
Derik_H__175358
Icon for Nimbostratus rankNimbostratus
Oct 27, 2014

How to set session affinity for SSL URLs.

Hi,

 

I've been asked to write an irule to provide to a datacenter that will be hosting our servers. I know they have a huge LB, but they haven't given us any specifics on it. All of our connection are https and he vast majority of the connections to our server will be to the server will be to https://www.server.com/config/baseurl.asp. We don't need session affinity on those connections.

 

However, all connections to https://www.server.com/client and https://www.server.com/selfservice need to have session affinity set to 6 hours. I'm looking for an irule that can do this to hand over to the datacenter. I've seen a lot of examples on non-ssl stuff but I haven't found something like what I need. Any help is appreciated.

 

application delivery
design
devops
iRules
LTM
persistence
url

3 Replies

  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    Oct 28, 2014

    If the one URL doesn't NEED affinity but the others do, I'd recommend just setting affinity by SSL session ID or via the source IP address if the load balancer isn't terminating SSL. Getting affinity when it's not needed shouldn't harm anything.

    If the load balancer is terminating SSL, I'd still use a generic cookie persistence or other appropriate type of persistence.

    Since you're trying to make this determination based on the URL.. I'm guessing the load balancer IS terminating the SSL and that you MUST set persistence on the one URL and not on the other.

    This link has good info: https://devcentral.f5.com/questions/using-irule-to-set-persistence-profile

    Quoting Mikeshimkus direction...

    when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] contains "myuri" }  {
            persist source_addr
       }
}

    Just replace the variable and persistence type with whichever type you prefer.

    Jason

  • Derik_H__175358's avatar
    Derik_H__175358
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2014

    Source IP isn't really an option since we're talking about 300,000 plus computers connecting every 5 minutes. We have found in the past setting affinity for the computer check in times can throw the load balancer out of whack and interrupt services. And people who need to connect to those two URLs where we need affinity also have their computers checking in. We also can't identify the people and their IP's that will be using those URLs.

     

  • Derik_H__175358's avatar
    Derik_H__175358
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2014

    Cookie persistence will not work on the check in times as it is not a browser. A piece of software on the computer does an SSL request to the server to see if there is an update. Then it repeats every 5 minutes when there is a user logged in.

     

    The requirement is for an irule to handle affinity for those 2 URL's only.