Forum Discussion
Chuck_Adkins_13
Nimbostratus
Nimbostratuspresist across two VIPs - SSL and clear - advise
Pretty basic setup where client connections with two connections - one ssl and one clear - and I want them to persist to the same node (obviously different ports). I am thinking that others must be doing this and there may be best practice vs wrong-way-bad-use-of-resources methods.
VIP:443 (ssl) --> POOL_S
VIP:80 (clear) ---> POOL_C
Client connects to VIP:443, SSL is not handled by BIGIP. After client authenticates a second connection to VIP:80 is established. Both connections need to persist to the same/orignal node of pool.
What is the best way to do this? Since I cannot see headers in the SSL connection - I think that rules ou using UIE and using somehting easy/standard like the userid to persist on.
The client is a homegrown application and we can set a header variable "NodeConnectedTo" to the node : that the clear connection needs to use. The first SSL connection is a stateful, long-lived connection that by its nature doesn't need persistence - although if there is a way to set it I would like to( will give me more options in the future)
Chuck_Adkins_13Testing this now - pretty simple - may be on the right track -when HTTP_REQUEST { log local0. "starting rule" set LB_CL_NODE [HTTP::header "NodeAddress"] log local0. "node is $LB_CL_NODE" pool some_pool member $LB_CL_NODE log local0. "sending to $LB_CL_NODE" }
Is there a way to set persist so that inspection doesnt need to happen for each request?- If you can set a server-referencing cookie for the HTTP connection, as you mention, the simplest solution is probably not a rule, but LTM's built-in passive cookie persistence feature.
For a description of feature and the cookie your servers would need to set, search for "HTTP Cookie Passive method" in this doc:
http://tech.f5.com/home/bigip-next/manuals/bigip9_0/bigip9_0config/ConfigGuide9_0-10-1.htm
HTH
/deb - Chuck_Adkins_13Unfortunately my client is not cookie-aware
- ah, my apologies. I assumed when you said you could set a header you were referring to set-cookie.
So it seems that you're on the right track.
The pool member must include the port as well, though, so maybe something more like:pool some_pool member ${LB_CL_NODE}:80 - Chuck_Adkins_13this is working:
when HTTP_REQUEST { log local0. "starting rule" set LB_CL_NODE [HTTP::header "NodeAddress"] log local0. "node is $LB_CL_NODE" pool some_pool member $LB_CL_NODE log local0. "sending to $LB_CL_NODE" }
The NodeAddress header is actually "ip.add.re.ss:port". I am thinking I should be able to set persist so that this check isnt performed for every packet - Chuck_Adkins_13This is working ok ... however it forces me to use L7 loadbalancing ... is there any way to start in L7 and then pass off to L4? The L7 is KILLING my CPU ... nearly maxing out a 8400 w/10K connections and 700M.
Quick recap - using the iRule in the thread above ...
client connects ----> VIPA:A L$ to pool
server tells client what the node address is
client sends second connection ----> VIPA:B (sent to node using irule)
