cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Multiple method persistence

Guillaume_Rouss
Nimbostratus
Nimbostratus

Hello.

 

I need to setup load-balancing for a visio application, which is quite complex, as I don't need just to ensure session persistence for a single user, but for multiple users participating to the same conference. According to my understanding of reference documentation, I need to use an universal persistence profile (or eventually hash persistence profile, as it only differs by hashing lookup value), and write an iRule, such as:

 

when HTTP_REQUEST {    # extract roomID from room parameter in query string    set roomID [getfield [URI::query [HTTP::uri] room] "@" 1 ]    if { $roomID != "" } {        persist uie $roomID 3600        log local0. "Using Jitsi room ID $roomID for persistence: [persist lookup uie $roomID]"    } }

 

Once a corresponding persistence profile assigned to the virtual server, it works as expected.

 

However, I also have to ensure persistence for authentication requests, this time with more classical requirements, ie every authentication requests for a given user must reach the same pool node.

 

I first considered the use of a fallback persistence profile (either cookie, ssl, or source address), so as to keep the irule simple. However, documentation discourage using fallback persistence for this purpose:

If Fallback persistence becomes the chosen persistence method, a Default persistence entry will not be created for the client connection until the Fallback persistence idle timeout period expires. Because of this, Fallback persistence may appear to override Default persistence and may not be a good choice. See Recommendations, following, for additional information.

 

So I added another clause in my iRule, still using uie method, but with client address as lookup key, hence reinventing simple persistence:

   if { [HTTP::path] starts_with "/Shibboleth.sso" } {        persist uie [IP::client_addr] 3600        log local0. "Using client IP adress for persistence: [persist lookup uie [IP::client_addr]]"    }

 

According to the documentation, I may be able to mix persistence methods in a single iRule (one of the example given here mixes source_addr and cookie methods), but some of those methods (ssl, msrdp, cookie) also requires a corresponding persistence profile assigned to the virtual server. Whereas I already use an universal persistence profile.

 

So basically, I'm a bit lost among multiple options, especially the relation between persistence profiles and persistence methods, and I have a few questions:

  • Is there any recommended practice for using multiples persistence methods in a single iRule ?
  • if only ssl and cookie methods require a corresponding profile, what is the interest of using an universal persistence profile, instead of just assigning the persistence irule to the virtual server ?
  • If I'm assigning a cookie persistence profile and a persistence irule using uie method to the same virtual server, how will persistence work ?

 

I hope I have been clear enough 🙂 Thanks for your interest.

3 REPLIES 3

SanjayP
MVP
MVP

You can write iRule to set source address or cookie persistence for authentication requests and attach it to the vip.

 

when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/shibboleth.sso*" { persist source_addr 255.255.255.255 3600 } default { return } } }when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/shibboleth.sso*" { persist cookie insert "ssocookie" 3600 } default { return } } }

 

Guillaume_Rouss
Nimbostratus
Nimbostratus

Hello SanjayP, and thanks for your answer.

 

I know I can write an iRule to use a single kind of persistence method, that is what I did already. My point is to use multiple kind of persistence methods, according to URL, such as:

  • every request with XXX parameter should use universal persistence method, with the XXX parameter value as key
  • every request with YYY parameter should use universal persistence method, with the YYY parameter value as key
  • every request whose path starts with /Shibboleth.sso should use cookie persistence method
  • other requests don't really need persistence, but may also use cookie persistence if it helps implementation

 

Apparently, cookie-based persistence method requires cookie persistence profile, and I have trouble figuring precedence of persistence profiles over persistence methods specified in irules.

SanjayP
MVP
MVP

It appears only option is to use either cookie for all, or source_addr for /shibboleth.sso* in iRule attached to the VIP and universal for default at the VIP level.

 

when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/shibboleth.sso*" { persist source_addr 255.255.255.255 3600 } default { return } } }