HTTP - HTTPS - HTTP Cookie Persistence

Question

I have a ticket open with F5 technical support, but thought I might post my issue here as well, just to see if anyone might have some insight.  I am not sure if this needs to be handled by an iRule specifically, or if basic configuration options can yeild the desired result? &nbsp;
&nbsp;A user connects to http://www.gosolodev.com:80 and enters login information.  The BigIP directs the request to server1 and the user authenticates.  At this point, the user is logged in to server1 and the BigIP uses cookie persistence to continue to direct that user to server1.  As the user is navigating throughout the application, they click a link that uses SSL so they access https://www.gosolodev.com:443.  At this point, the BigIP is not matching the cookie persistence and re-load balances the connection, possible directing the user to server2.  Since the user was logged in to server1, server2 requires them to authenticate.
&nbsp; 
&nbsp;What we need to happen is as long as the same user with the same session is connecting to the BigIP, they should go to the same server, regardless of whether they are connecting via HTTP or HTTPS. The re-login presentation that happens is really just a by product to the issue.  Does anyone know how to do this?  &nbsp;
&nbsp;The following are the relevant entries in bigip.conf&nbsp;
&nbsp;monitor gosolodev-wl-https {
&nbsp;   defaults from https
&nbsp;   interval 10
&nbsp;   timeout 31
&nbsp;   send "GET /um/login.jsp"
&nbsp;}
&nbsp;monitor gosolodev-wl-http {
&nbsp;   defaults from http
&nbsp;   reverse
&nbsp;   interval 10
&nbsp;   timeout 31
&nbsp;   recv "  Weblogic Bridge Message     Failure of server APACHE bridge: &nbsp;No backend server available for connection: timed out after 10 seconds. &nbsp;Build date/time: May  8 2003 15:20:38 &nbsp;Change Number: 257949   "
&nbsp;   send "GET /um/login.jsp"
&nbsp;}
&nbsp;profile clientssl gosolodev-clientssl {
&nbsp;   defaults from clientssl
&nbsp;   key "gosolodevssl.key"
&nbsp;   cert "gosolodevssl.crt"
&nbsp;}
&nbsp;profile serverssl gosolodev-serverssl {
&nbsp;   defaults from serverssl
&nbsp;   key "gosolowildssl.key"
&nbsp;   cert "gosolowildssl.crt"
&nbsp;   ca file "ca-bundle.crt"
&nbsp;}
&nbsp;profile http gosolodev-http {
&nbsp;   defaults from http
&nbsp;   insert xforwarded for enable
&nbsp;}
&nbsp;profile persist dev-gosolo-cookie {
&nbsp;   defaults from cookie
&nbsp;   mode cookie
&nbsp;   cookie mode insert
&nbsp;   cookie name GOSOLODEV-COOKIE
&nbsp;   cookie expiration 0d 02:00:00
&nbsp;   across services enable
&nbsp;   across virtuals enable
&nbsp;}
&nbsp;pool dev-https {
&nbsp;   monitor all gosolodev-wl-https
&nbsp;   member 192.168.103.79:https
&nbsp;   member 192.168.103.126:https
&nbsp;}
&nbsp;pool dev-http {
&nbsp;   monitor all gosolodev-wl-http
&nbsp;   member 192.168.103.79:http
&nbsp;   member 192.168.103.126:http
&nbsp;}
&nbsp;rule strip-www-gosolodev {
&nbsp;   when HTTP_REQUEST {
&nbsp;   if { [HTTP::host] equals "www.primerica.gosolodev.com" } {
&nbsp;      HTTP::redirect "http://primerica.gosolodev.com"
&nbsp;   }
&nbsp;virtual dev-http {
&nbsp;   destination 192.168.103.190:http
&nbsp;   ip protocol tcp
&nbsp;   profile gosolodev-http oneconnect tcp
&nbsp;   persist dev-gosolo-cookie
&nbsp;   pool dev-http
&nbsp;   vlans DEV enable
&nbsp;}
&nbsp;virtual dev-https {
&nbsp;   destination 192.168.103.190:https
&nbsp;   ip protocol tcp
&nbsp;   profile gosolodev-clientssl gosolodev-http gosolodev-serverssl oneconnect tcp
&nbsp;   persist dev-gosolo-cookie
&nbsp;   pool dev-https
&nbsp;   vlans DEV enable
&nbsp;}&nbsp;&nbsp;
&nbsp;Thanks.

vincent_power_9 · Answer

This is just a suggestion.
&nbsp;If you wanted the BIG-IP to handle the SSL termination, you could use the same pool *http_pool" for both virtual servers then "match across virtual servers" would probably work.&nbsp;
&nbsp;See:
&nbsp;http://tech.f5.com/home/bigip-next/manuals/bigip9_0/bigip9_0config/ConfigGuide9_0-10-1.htmlwp1184508&nbsp;

unruley_95363 · Answer

The only way to do this would be if the BIG-IP is handling the SSL termination.  And, since you are naming your cookie, this should already work (by default, the cookie name includes the pool name but since you specified the cookie name, it has to lookup the node in whatever the current pool is).

matt_galvin_107 · Answer

Posted By unRuleY on 12/27/2005 6:15 PM
&nbsp;The only way to do this would be if the BIG-IP is handling the SSL termination.&nbsp;
&nbsp;Unfortunately, this is not possible for us (junger and I work together).  Due to other security requirements, we must have SSL termination at the end server that handles the request.  We cannot have unencrypted traffic between the LB and the processing server when the incoming client request is over SSL.&nbsp;
&nbsp;Is it not possible to have HTTP and HTTPS persistence if the BIG-IP is not the SSL terminator?  We don't have to use cookie based persistence if one of the other methods will accomplish this.

matt_galvin_107 · Answer

This is the same issue that is being discussed in a different thread without the SSL termination issue (http://devcentral.f5.com/Default.aspx?tabid=28&amp;forumid=5&amp;postid=5939&amp;view=topic).&nbsp;
&nbsp;In that thread you state:&nbsp;&nbsp;Posted By unRuleY on 1/03/2006 2:25 PM
&nbsp;Unless you decide to use cookie persistence, you will probably want to use the across virtuals and across pools settings to allow a persistence record to be applied to different pools.&nbsp;
&nbsp;Can you expand on this?  Why does cookie persistence matter here?  We've tried all combinations of matching to no avail so I'm assuming it's the SSL pass through that's causing the failure...

jrahm · Answer

It is possible to have client-side ssl offload, then re-encrypt for your SSL requirement on the backside.  No performance gain in doing so, but you gain the traffic management control.

Forum Discussion

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

iRule Developer Tools

Help with SSH Virtual Server

"01020066:3: The requested Node (/Common/fqdn1) already exists in partition Common."

Bigip Restoration From Hardware to VM

DNS topology not distributing as expected

Related Content

Decoding the IPv4 address from the persistence cookie

How OneConnect Profile works with Cookie Persistence

Persistence Cookie Logger

Persistence Cookie Logging

F5 XC – Persistence and Resiliency pt. I (persistence)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS