Re: 11501, SSL termination and URL direction to backend servers

mhilty · ‎06-02-2005

Hi,

We're using an 11501 (7.20) to terminate SSL for 2 BEA weblogics servers running 4 instances of Peoplesoft Web apps and need to transparently "stick" clients to a specific backend server based on the request URI/URL. Using advanced balance ssl works fine, but there will be cases where we'll want to direct clients to a particular backend server based on URL instead of sticking them to a server based on srcip or SSL ID. In other words can we create a "poor man's" sticky mechanism using server-unique URLs that will keep sessions active when using several backend servers? The reason we want to do this is that we are trying to integrate Peoplesoft with the SCT Luminis portal to take advantage of a single signon protocol that relies on an intermediate webserver to instantiate the session and then pass session details (cookie, URL string) back to the client via an inline frame. All connections between the CSS and backend webservers are plain HTTP.

I know this scounds convoluted, but suspect someone in this forum can decipher what I'm asking.

thanks in advance,

Matthew Hilty

Network Administrator

The Art Institute of Chicago

Gilles Dufour · ‎06-03-2005

Matthew,

if I understand correctly, the CSS decrypt the SSL traffic and all you want to do is stick the client to a backend HTTP server based on url info.

You can use 'advanced-balance url' option to locate a specific string in the url and determine the server based on this string.

For example, you could have http://x.x.x.x/server1/...

The string "server1" would be mapped to server 1.

If you also have a cookie, you could use some info present in the cookie.

If the cookie is JSESSIONID=xxxxxxxxxxxxserver1, you can extract server1 and map it to the corresponding server.

Obviously, you can only do this if the traffic is being decrypted.

Let me know if this is what you are looking for and if you need more information on one of these solutions.

Gilles.

mhilty · ‎06-03-2005

Hi Gilles,

Thanks for the response. You input at this point is invaluable.

The CSS does decrypt the traffic, and we either want to stick clients to backend services by cookies or URL. When I try advanced-balance cookies, though, I end up getting bounced from one server to the other and there's a session conflict because I have cookies/sessions from each server. The webapp logs me out, which makes sense for security reasons. The cookie does contain server-secific info (psweb-test-2-80-PORTAL-PSJSESSIONID for example when the cookies is generated by the psweb-test-2 host) but I thought that using SSL prevented cookies from being effective sticky triggers -- maybe I don't understand correctly. Are you suggesting using advance-balance url with the cookie info or advance-balance cookies with SSL decryption taking place on the CSS? I've attached a copy of the running config. Perhaps when you get a chance you could look at it and let me know what incorrect assumptions I've made.

Gilles Dufour · ‎06-03-2005

I would say the easiest solution would be to use arrowpoint cookie since you do not seem to be able to make it work.

Arrowpoint cookie has the advantage to make it simple.

If you do not want this solution, as I mentioned in my previous post, you can use advanced-balance cookie if you can extract a constant value from the cookie or you could use advanced-balance url if you can extract a constant value from the url.

These solutions are possible because the CSS can decrypt the traffic.

That's one of the advantage of the ssl module.

If you want to use these solutions but run into trouble, send us the new config and a copy of the header request so we can see the cookie.

Regards,

Gilles.