Forum Discussion
MR_RJ
May 16, 2011Cirrus
Need a iRule to set persistence based on http content
Hi,
We are using RSA-SecurID and their solution how to configure a web farm that is load balanced. The short story, the agents on the servers act as one agent and if you are authenticated to one server, then you are authenticated to all of them.
This works really well together with the F5 LTM. ...except for one thing. If the password is entered wrong several times there will be a form of a challenge prompted to the user. When the user is submitting this the request/response might go to another server then it originated from.
I'm very new to iRule, we havent had any major challenges so I've only created a few simple ones.
But anyway... the solution I was thinking of was a iRule that is doing something like this:
when http_respons {
if { http::uri contains "/securid/agent.dll" && http::payload contains "SecurID Next Tokencode Request" } {
}
I've been playing around a bit with the idea and trying to create a iRule for it but I'm not even sure that this is the right approach. I've seen some similar solutions but they seems to be a bit to advanced for what I'm trying to do.
Worst case scenario is enabling persistence on all sessions but then we will have a long drain time etc, now I can (if needed) just force a node offline and no one will notice... that's worth a lot.
Any ideas of other solutions or how to write the iRule?
Thanks in advance!
Robert
- The_BhattmanNimbostratusHi Robert,
- MR_RJCirrusHi,
- The_BhattmanNimbostratusHi Robert,
- MR_RJCirrusHi,
- The_BhattmanNimbostratusHi Robert,
- hoolioCirrostratusI don't think the overhead of collecting payloads to limit when you use persistence is worth it. Collecting payloads is going to eat up a fair amount of memory and add latency.
- Colin_Walker_12Historic F5 AccountEven though you can achieve what you're looking for relatively efficiently with the STREAM profile and other built in commands, I have to agree with Bhattman and hoolio here. The overhead for enabling site-wide cookie persistence is minimal on the F5 device. If that's your concern, I really wouldn't worry about it unless your system is already nearly maxed out, at which point there are other concerns to deal with anyway.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects