multiple ports
3 TopicsHow to maintain Cookie persistence across web application with multiple ports (i.e. 80, 8443)
We have an F5 LB. There are two back-end servers that sit behind it. SSL termination is at the LB. Mapping to the back-end servers is 443 to 80, 80 to 80, and 8443 to 8443. That is, on the back-end servers, we have ports 80 and 8443 open. The LB was first setup with source IP persistence. We just moved to Cookie persistence to alleviate some issues with IP addresses switching mid-session and the like. The cookie persistence is session cookie, meaning no expiry and the cookie should expire when the user closes the browser. The cookie is also encrypted with a passphrase to comply with security practices (not sure why F5 would set the cookie value to some obfuscated value that maps to the back-end server IP and port, since that is apparently not very difficult to un-obfuscate). In testing the web application behind the LB, everything seemed to be OK. Then, we got a report from users with a particular piece in the web application, which loads pages over multiple ports (i.e. 80, 8443). What I see happening is, whether the request first starts with 80 or 8443, the LB cookie value is being generated again when the page is requested from the other port. It doesn't happen 100% but it happens frequently. Then the application reports that the application session is invalid. My guess is even if the cookie value changes, if it happens to hit the same back-end server, there will be no issue. However, if the request happens to hit the other back-end server, the web application will see the request as a new application session and, thus, report that the application session is invalid. What I think what might fix it is maintaining the cookie persistence across the multiple ports we have configured (i.e. 80, 8443). The problem is I'm not quite sure how to do that. That's why I'm here, to ask people who are smarter than me and more experienced and may know some solutions that would work. I would prefer to keep using HTTP Cookie Insert method, although I understand cookie hash does have options similar to source ip persistence such as match across virtual servers and the like. I don't know how much that would help me here, if at all. Can I use an iRule? If so, what might that look like? Maybe an iRule that checks if there is an existing LB cookie and if the request is coming from 80 but going to 8443 or vice-versa, then insert the cookie into said request such that no new cookie is generated and the same cookie is shared across port 80 and port 8443. Sounds good in theory but I'm not even sure of the first place to start to even attempt it. I hope what I'm asking is clear. If it isn't, please feel free to ask me to clarify. I want to maintain the LB cookie across multiple ports. Example: User goes to testsite.com/index.html. LB generates a cookie with value 1234. User is sent to back-end server 1. User then goes to testsite.com:8443/index2.html. LB will generate a new cookie with a different value--let's say it's 5678--and it may send the user to back-end server 1 or 2. If it goes to 1, the web app should be OK. If the request goes to 2, the web app will complain because the web app session is on 1. I want testsite.com and testsite.com:8443 to both have the same exact cookie, which, in this example, would be 1234. Does that make sense? Any help would be appreciated. Thank you in advance.899Views0likes2CommentsHealth check on multiple ports
We have Galera mysql cluster which is running behind HAProxy load-balancer, we have migrating to haproxy to F5. Currently this is what i have in HAProxy Codebackend galera-back mode tcp balance leastconn timeout server 5000s stick store-request src stick-table type ip size 256k expire 30m option tcplog option httpchk HEAD / HTTP/1.0\r\nUser-agent:\ osa-haproxy-healthcheck server ostack-infra-02_galera_container-fa5d9e98 172.28.1.216:3306 check port 9200 inter 12000 rise 1 fall 1 server ostack-infra-03_galera_container-eaacd880 172.28.1.236:3306 check port 9200 inter 12000 rise 2 fall 2 backup server ostack-infra-01_galera_container-6c126d29 172.28.1.183:3306 check port 9200 inter 12000 rise 2 fall 2 backup 01, 02 & 03 node running in cluster and haproxy doing 3306 monitor along with 9200 monitor (9200 check if node is in SYNC or not) My requirement is how do i tell F5 monitor two port 3306 & 9200 and either one if fail take that node out from pool?516Views0likes1CommentMultiple port redirection with an iRule
I have 2 servers I need to be able to reddirect 1 virtual server to and am having trouble with the iRule. Here is my iRule when HTTP_REQUEST { if { [HTTP::uri] equals "/" } { HTTP::redirect "http://[HTTP::host]/subfolder/Default.html" } } My 2 nodes are on different ports on each server. The irule redirects like this. http://server.net/subfolder/Default.html:30005 I need it to send it to this. http://server.net:30005/subfolder/Default.html Thanks for any assistance in advance.465Views0likes4Comments