For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chuck_Adkins_13's avatar
Chuck_Adkins_13
Icon for Nimbostratus rankNimbostratus
Mar 20, 2006

presist across two VIPs - SSL and clear - advise

Pretty basic setup where client connections with two connections - one ssl and one clear - and I want them to persist to the same node (obviously different ports). I am thinking that others must be doing this and there may be best practice vs wrong-way-bad-use-of-resources methods.

 

 

VIP:443 (ssl) --> POOL_S

 

VIP:80 (clear) ---> POOL_C

 

 

Client connects to VIP:443, SSL is not handled by BIGIP. After client authenticates a second connection to VIP:80 is established. Both connections need to persist to the same/orignal node of pool.

 

 

What is the best way to do this? Since I cannot see headers in the SSL connection - I think that rules ou using UIE and using somehting easy/standard like the userid to persist on.

 

 

The client is a homegrown application and we can set a header variable "NodeConnectedTo" to the node : that the clear connection needs to use. The first SSL connection is a stateful, long-lived connection that by its nature doesn't need persistence - although if there is a way to set it I would like to( will give me more options in the future)
application delivery
dev
devops
iRules

6 Replies

  • Chuck_Adkins_13's avatar
    Chuck_Adkins_13
    Icon for Nimbostratus rankNimbostratus
    Mar 20, 2006
    Testing this now - pretty simple - may be on the right track -

    
when HTTP_REQUEST {
    log local0. "starting rule"
    set LB_CL_NODE [HTTP::header "NodeAddress"]
    log local0. "node is $LB_CL_NODE"
    pool some_pool member $LB_CL_NODE
    log local0. "sending to $LB_CL_NODE"
}

    Is there a way to set persist so that inspection doesnt need to happen for each request?
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Mar 20, 2006
    If you can set a server-referencing cookie for the HTTP connection, as you mention, the simplest solution is probably not a rule, but LTM's built-in passive cookie persistence feature.

     

     

    For a description of feature and the cookie your servers would need to set, search for "HTTP Cookie Passive method" in this doc:

     

    http://tech.f5.com/home/bigip-next/manuals/bigip9_0/bigip9_0config/ConfigGuide9_0-10-1.htm

     

     

    HTH

     

    /deb
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Mar 21, 2006
    ah, my apologies. I assumed when you said you could set a header you were referring to set-cookie.

    So it seems that you're on the right track.

    The pool member must include the port as well, though, so maybe something more like:

    pool some_pool member ${LB_CL_NODE}:80

  • Chuck_Adkins_13's avatar
    Chuck_Adkins_13
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2006
    this is working:

    
when HTTP_REQUEST {
log local0. "starting rule"
set LB_CL_NODE [HTTP::header "NodeAddress"]
log local0. "node is $LB_CL_NODE"
pool some_pool member $LB_CL_NODE
log local0. "sending to $LB_CL_NODE"
}

    The NodeAddress header is actually "ip.add.re.ss:port". I am thinking I should be able to set persist so that this check isnt performed for every packet
  • Chuck_Adkins_13's avatar
    Chuck_Adkins_13
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2006
    This is working ok ... however it forces me to use L7 loadbalancing ... is there any way to start in L7 and then pass off to L4? The L7 is KILLING my CPU ... nearly maxing out a 8400 w/10K connections and 700M.

     

     

    Quick recap - using the iRule in the thread above ...

     

     

    client connects ----> VIPA:A L$ to pool

     

    server tells client what the node address is

     

    client sends second connection ----> VIPA:B (sent to node using irule)