Forum Discussion
Christopher_Hyl
Nimbostratus
NimbostratusTrue-IP persistence or source-IP if it doesn't exsist.
This is a basic derivative of the irule in the last post .
It's a long story of why we're doing this, but we're using a CDN that passes us the "true-client-ip" HTTP header. We want source persistence to our pool with this variable, but sometimes we get traffic that will not be from the CDN. We want source-ip based persistence to our back-end pool in these cases.
Will this do the trick? Is there a more efficient/better way?
when HTTP_REQUEST {
if {[HTTP::header exists "True-Client-IP"]}{
set tcip_header [HTTP::header "True-Client-IP"]
} else { set tcip_header [IP::remote_addr] }
if {[active_members Onlinebrands_http_real_server]}{
if {[scan [lindex [active_members –list app_http_pool] [expr {[md5 $tcip_header] % [active_members app_http_pool]}]] {%s %s} ip port] == 2}{
pool app_http_pool member $ip $port
return
}
}
}
Christopher_HylHrm, playing around I've also tried this bit of code:when HTTP_REQUEST { set True_Client_IP [HTTP::header value "True-Client-IP:"] persist uie True_Client_IP }
But It just sends all the requests to one server, even though the pool has round-robin enabled...
hooleylistCirrostratus
Can you try this?when HTTP_REQUEST { set True_Client_IP [HTTP::header value "True-Client-IP"] if {$True_Client_IP eq ""}{ set True_Client_IP [IP::client_addr] } persist uie True_Client_IP 3600 log local0. "[IP::client_addr]:[TCP::client_port]: True-Client-IP: [HTTP::header value True-Client-IP], persist record: [persist lookup uie $True_Client_IP]" } when SERVER_CONNECTED { log local0. "[IP::client_addr]:[TCP::client_port]: connected to: [IP::server_addr]:[TCP::server_port]" }
Aaron- Christopher_HylHey Aaron,
That iRule currently sends all traffic to one host with this log output:May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.181.182:54134: True-Client-IP: 216.197.180.217, persist record: May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.181.180:62709: True-Client-IP: 173.32.178.195, persist record: May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.134.176:61379: True-Client-IP: 64.235.99.34, persist record: May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.134.176:61379: connected to: 216.12.154.82:81 May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.156.218:52343: True-Client-IP: 216.113.25.12, persist record: May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.156.218:52343: connected to: 216.12.154.82:81 May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.134.175:54151: True-Client-IP: 38.117.85.205, persist record: May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.134.175:54151: connected to: 216.12.154.82:81 May 9 11:40:11 tmm tmm[1715]: Rule persistenceiRule : 208.111.181.179:53170: True-Client-IP: 67.204.9.179, persist record: May 9 11:40:12 tmm tmm[1715]: Rule persistenceiRule : 68.142.93.139:53802: True-Client-IP: 24.64.125.29, persist record: May 9 11:40:12 tmm tmm[1715]: Rule persistenceiRule : 68.142.93.139:53802: connected to: 216.12.154.82:81 May 9 11:40:12 tmm tmm[1715]: Rule persistenceiRule : 208.111.181.182:54134: True-Client-IP: 199.198.223.108, persist record: May 9 11:40:12 tmm tmm[1715]: Rule persistenceiRule : 208.111.134.171:63427: True-Client-IP: 207.253.121.125, persist record: May 9 11:40:12 tmm tmm[1715]: Rule persistenceiRule : 208.111.134.171:63427: connected to: 216.12.154.82:81 May 9 11:40:12 tmm tmm[1715]: Rule persistenceiRule : 208.111.160.92:50739: True-Client-IP: 99.237.168.142, persist record: May 9 11:40:12 tmm tmm[1715]: Rule persistenceiRule : 208.111.160.92:50739: connected to: 216.12.154.82:81 - hooleylistNice work figuring out that we were missing the $ on the variable name.
Can you add a OneConnect profile to the virtual server? If you're using SNAT, you can use the default OneConnect profile with a /0 source mask. Else, create a custom OneConnect profile with a /32 source mask.
Aaron - Christopher_HylAaron: Success!
Thanks so much! We've gone back to our original source-ip fallback irule and it's working as well. Thanks a ton! - hooleylistGlad to hear that's working. See this article on why OneConnect is necessary for L7 persistence/load balancing:
http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/oneconnect.html
Aaron