topic Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca in Application Networking

11503 Loadbalance SSL sticky and HTTP not sticky to proxy-cache

support — Thu, 30 Jun 2005 12:46:59 GMT

I am using a 11503 to balance 200 schools traffic to 5 caches. Some of the schools have firewalls so the CSS sees their PCs as coming from a single IP. If I set the rule to balance sticky then the load is not spread evenly to the 5 proxies causing them to get overloaded from time to time.

If I balance the load non-sticky (say leastconn) then users have trouble accessing certain SSL sites.

Does anyone know a good solution for this?

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

jfoerster — Fri, 01 Jul 2005 04:26:39 GMT

HI,

from my point of view I would run a try with the following scenario:

1) rule for https with advanced-balance ssl and probably application ssl. In terms of stickiness you have to check if this is needed or not.I've some trouble with such a rule but sofar it is not clarified if the trouble is caused by the servers or by the CSS.

2) rule for http traffic with balance domain(hash) or url(hash)

3) if applicable the same for ftp depending if your proxies support ftp caching.

Hope that helps.

Regards,

Joerg

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

support — Mon, 04 Jul 2005 09:02:31 GMT

Hi Joerg,

Thanks for your reply. How would you code your solution? Currently I am using the following to work around particular sites:

service Proxy1

ip address 10.0.0.11

type proxy-cache

active

service Proxy2 ... etc

**************************** DQL ****************************

dql domains-no-balance

domain www.dontbalancethissite.com

domain ... etc

!*************************** OWNER ***************************

owner admin

content Proxy-servers

add service Proxy1

add service Proxy2

add service Proxy3

add service Proxy4

add service Proxy5

protocol tcp

port 3128

vip address 10.0.0.100

sticky-inact-timeout 5

balance leastconn

active

content no-load-balance

vip address 10.0.0.100

advanced-balance sticky-srcip

balance leastconn

add service Proxy1

add service Proxy2

add service Proxy3

add service Proxy4

add service Proxy5

protocol tcp

port 3128

url "/*" dql domains-no-balance

sticky-inact-timeout 5

Regards,

Ben

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

Gilles Dufour — Tue, 05 Jul 2005 15:21:43 GMT

if you're talking about HTTP traffic, the best solution is arrowpoint-cookie with persistence disabled and persistence reset remap so the CSS can reconnect to a new server transparently.

The config should look like this

persistence reset remap

content Proxy-servers

add service ...

vip address x.x.x.x

proto tcp

port xxx

no persistent

advanced-balance arrowpoint-cookie

I believe that for SSL traffic, your clients will use the same proxy port and the command "CONNECT HTTPS://..." and hopefully this solution should work as well [not sure so - I have a doubt and a test would be necessary to confirm this - will do it next week when I get back from vacation 🙂 ]

Regards,

Gilles.

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

support — Tue, 05 Jul 2005 18:23:48 GMT

I havent managed to test all SSL websites but the one I am having trouble with is

http://www.emasys.dfes.gov.uk/ this will not work if there are any active rules with advanced-balance in. I am not sure why this is - that website also seems to instantly redirect to https. Any thoughts?

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

Gilles Dufour — Wed, 06 Jul 2005 16:07:25 GMT

you'll need to sniff in front of cache and on the client at the same time then compare the result to see what's going on.

If the cache is receiving all the request sent by the client, then you need to focus on the cache.

If the cache is not receiving the request, we need to focus on the CSS.

Anyway, the sniffer trace is required.

Regards,

Gilles.

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

support — Thu, 07 Jul 2005 13:24:01 GMT

Hi Giles,

I have resorted to using sticky-scrip and just one content rule as all web sites work with this configuration. However, this has the unwanted side effect of evenly balancing the traffic. Is there any way to smooth the balancing but still use sticky-scrip?

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

Gilles Dufour — Thu, 07 Jul 2005 13:40:27 GMT

NO !!!

Follow our suggestions and sniff the traffic to get a clear understanding of the problem.

With proxy, the only good solution is cookies.

Gilles.

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

support — Fri, 08 Jul 2005 11:16:07 GMT

Setting up sniffing on this traffic is not that simple and schools need a working solution so I have to do something to get it to work 🙂 I would be interested to hear what you have against sticky-scrip and why you think the cookie is the way forward?

Re: 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-ca

Gilles Dufour — Fri, 08 Jul 2005 13:55:47 GMT

sticky-srcip is ok but then you get unequal loadbalancing because of proxies [multiple user behind a single ip address].

Sticky based on cookie will assign a cookie to each user whatever their ip address. So much better for HTTP.

Regards,

Gilles.