Forum Discussion
Piyush_72418
Nimbostratus
Nimbostratuspersistence across two VIPs having 2 diff. pools and bypass SSL to node members
Hi,
I have 2 VIPs
1. vip_abc_http having pool abc_http_pool
2. vip_abc_https having pool abc_https_pool
now pool abc_http_pool has members like
192.168.1.101:80
192.168.1.102:80
192.168.1.103:80
and pool abc_https_pool has members like
192.168.1.101:443
192.168.1.102:443
192.168.1.103:443
I want to serve all the SSL cert /traffic from node / members
Please tell me - whats a good way to achieve following :-
1. bypass SSL certs (so that F5 BigIP LTM - 3600) dont' serve the SSL cert / traffic and ssl cert / traffic to be served by my members in pool abc_https_pool (from apache httpd/tomcat)
2. How can I achieve persistence across two VIPs vip_abc_http & vip_abc_https
I have tried having Cookie Insert persistence - but failed to get persistence to SAME node member whenever my session lands from http vip to https vip
Piyush_72418I have tried applying following iRule on https VIP
when RULE_INIT {
}
when CLIENTSSL_HANDSHAKE {
persist ssl
}
when HTTP_REQUEST {
persist source_addr 86400
}
but still peristence not working!
hoolioCirrostratus
If you're not decrypting the SSL for the HTTPS VIP, you can't inspect or modify the HTTP content for that VIP. As only one VIP is using SSL, you couldn't use SSL session ID persistence for both VIPs.
You could create a custom source address persistence profile with "match across services" enabled and add that to both VIPs. If the virtual servers are not defined on the same IP address, you would also need to add "match across virtuals".
See SOL5837 for details:
SOL5837: Match Across options for session persistence
https://support.f5.com/kb/en-us/solutions/public/5000/800/sol5837.html
Aaron