Forum Discussion

Gus_Thompson_11's avatar
Gus_Thompson_11
Icon for Nimbostratus rankNimbostratus
Aug 13, 2007

iRule - HTTP Response (Trigger)?

Currently we have Cookie (HASH) Persistence enabled on all our websites, and persistence between services is being kept correctly.

 

 

Our dilemma is how the F5 handles the cookies, this may or may not be possible, but we’ve noticed that the F5 reads the cookie on the “Request” or after you have landed on the site and clicked on a link.

 

 

We need to have the cookie read on the “Response” or when the client initially lands on the page.

 

 

The reason for this request is that we are doing an email campaign, and with in this email, there is a URL that the customer will click on. This URL contains and embedded serial number that is passed to the web server.

 

 

URL Example: http://www.ecommsite1.com/pagebuilder/Item?item=48064&source=940948

 

 

Our issue is that when they land on the page, the serial number is passed correctly to (server1) the web server, but when the customer clicks on any link, they are redirected to another web server (server2) and that server has no clue about the serial number that was entered. Persistence is not working as expected.

 

 

Please let me know if you need more information.

 

 

Thanks in advance for your help!

 

Gus
application delivery
dev
devops
iRules
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Aug 13, 2007
    Hi Gus -

     

     

    I'd suggest instead using cookie insert persistence, which creates a cookie with the address:port of the selected server encoded in it.

     

     

    HTH

     

    /deb

     

  • Gus_Thompson_11's avatar
    Gus_Thompson_11
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2007
    Thanks for the reply Deb,

     

     

    How will I maintain persistence between services using cookie insert?

     

    The reason we went with Cookie Hash was because F5 Support told us that Cookie Insert did not support persistence for services.

     

     

    To give you a better understanding of how we are setup, we have 8 web servers in a HTTP pool, and the same 8 web servers in a HTTPS pool. (Again, we were told this is standard setup). If you land on server1 (HTTP) and go “checkout” of the ecomm site, you get sent to HTTPS but need to stay on the same web server. Before, using Cookie insert, that functionality would not work and you would get sent so server2 (HTTPS). When we asked for iRules support, we were directed to this forum, or to use Cookie Hash instead.

     

     

    Thanks again for your help,

     

    Gus

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 14, 2007
    For some reason, F5 removed the 'match across' functionality for cookie persistence. I think there is a CR requesting to have it added back. You might request to have your case attached to the request if it hasn't been already.

    If you're not using ASM or WebAcc, you could create a single virtual server on port 0 (any) pointing to a pool of web servers also on port 0. You'd need to add a client SSL profile on the virtual server and then use "SSL::disable" in an iRule to disable decryption for requests to an HTTP port. You could then use a cookie insert persistence profile to persist requests irrespective of the port.

    I think this would be the simplest method.

    Here's an example rule:

    
when CLIENT_ACCEPTED {
   switch [TCP::local_port] {
      80 {
          need to disable client SSL for HTTP requests
         SSL::disable
      }
      443 {
          do nothing, request will be decrypted and sent to pool
      }
      default {
          drop or reject the request as it's not an allowed port
         reject
      }
   }
}

    Aaron
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 14, 2007
    My understanding is that it was removed because they were invalid options since the persistence was passive due to the persistent data was contained in the cookie instead of in a table...is this not the case?
  • Gus_Thompson_11's avatar
    Gus_Thompson_11
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2007
    Hey Aaron,

    Thanks for the tip. I went ahead and created a new pool and virtual server using a wildcard (*) for the service ports. I also tried to create the iRule you listed, but I get an error message:

    
01070151:3: Rule [ST-lbc.TEST1] error: 
line 1: [unknown event (CLIENT_CONNECTED)] [when CLIENT_CONNECTED {
switch [TCP::local_port] {
80 {
 need to disable client SSL for HTTP requests
SSL::disable
}
443 {
 do nothing, request will be decrypted and sent to pool
}
default {
 drop or reject the request as it's not an allowed port
reject
}
}
}]

    Here's a dumb question, (new to iRules) will this iRule affect only the virtual server I assign it to, or is this a global rule? I can't take too many risks only because our F5 cluster is load balancing production sites. One more question, how do I limit or assign the iRule to a specific virtual server?

    Thanks for your help,

    Gus

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 14, 2007
    Sorry, the event should be CLIENT_ACCEPTED, not connected...

     

     

    I realized that for SSL requests the destination port needs to be changed from the client requested port of 443 to the HTTP port of the server, 80.

     

     

    I'll put together a more complete example and repost shortly.

     

     

    As for your question on scope of the rule: the rule would only affect the virtual server that it is added to. You can configure a rule for a specific virtual server by clicking on the virtual server name and then the resources tab.

     

     

    Aaron