Forum Discussion

Julio_Navarro's avatar
Julio_Navarro
Icon for Cirrostratus rankCirrostratus
Sep 12, 2018

Secure Cookie when the VIP is requested by IP (not URL)

Hello. I have a VIP config where the pool member is the one handling the cookie to the client. The pool member has a limitation when the client access the VIP via IP (not URL), the cookie is served not secured. I created this iRule which one of the side effects is an increased in the CPU utilization.

when HTTP_RESPONSE {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
 HTTP::cookie secure $aCookie enable
 }
}
  1. Is this the most efficient way?
  2. Is there a way to use a policy vs an irule?

Thank you

J

  • Hi Navaro,

     

    You have the availlability to manage your need trough an HTTP profil.

     

    • So create a new http profile
    • in "Encrypt Cookies" fields type the cookie names for the system to encrypt.

    you can set several cookies if you want.

     

    it is a feature that is managed manually without irule. and in terms of optimization it's clear that it's more optimal.

     

    let me know if it's clear for you

     

    regards

     

  • Currently this is setting the secure flag for all cookies and all requests. It's obviously doing the job but the scope is broad so it is using CPU.

    You should have a flag in the HTTP_REQUEST event that is set to true when accessing via IP address. A good way to match IP addresses is using the class. ie put the IP address in the class and match the class in the iRule.

    Something like this:

    when HTTP_REQUEST {
        if { [class match -- [HTTP::host] equals host_dg] } {
            set setSecure 1
        }
    }
    when HTTP_RESPONSE {
        if { $setSecure } {
            foreach cookie [HTTP::cookie names] {
                HTTP::cookie secure $cookie enable
            }
        }
    }