For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Gus_Thompson_11's avatar
Gus_Thompson_11
Icon for Nimbostratus rankNimbostratus
Aug 13, 2007

iRule - HTTP Response (Trigger)?

Currently we have Cookie (HASH) Persistence enabled on all our websites, and persistence between services is being kept correctly.     Our dilemma is how the F5 handles the cookies, this may or ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 14, 2007
For some reason, F5 removed the 'match across' functionality for cookie persistence. I think there is a CR requesting to have it added back. You might request to have your case attached to the request if it hasn't been already.

If you're not using ASM or WebAcc, you could create a single virtual server on port 0 (any) pointing to a pool of web servers also on port 0. You'd need to add a client SSL profile on the virtual server and then use "SSL::disable" in an iRule to disable decryption for requests to an HTTP port. You could then use a cookie insert persistence profile to persist requests irrespective of the port.

I think this would be the simplest method.

Here's an example rule:


when CLIENT_ACCEPTED {
   switch [TCP::local_port] {
      80 {
          need to disable client SSL for HTTP requests
         SSL::disable
      }
      443 {
          do nothing, request will be decrypted and sent to pool
      }
      default {
          drop or reject the request as it's not an allowed port
         reject
      }
   }
}

Aaron