ACE sticky routing where port 80 and port 443 stick on the same

rhaggart · ‎12-28-2012

We have a server load balancing configuration where we want incoming site visitors to stick to the same physical server regardless of whether they entered on port 80 or port 443 (SSL terminated by ACE). For example, if an incoming site visitors arrives on Port 80 and sticks to Server 1, if that user then clicks on a secure port 443 link, we want them to stay on Server 1 on Port 443. In our current configuration, we can get them to stick to one server on Port 80 and Port 443 independently, but we have not been able to find a way to ensure visitors who are stuck on Server 1 on Port 80, will also be stuck Server 1 if they switch to Port 443. Ideally, the sticky sessions would be based on our application session cookie, but we could also use source IP or cookie insert if it was required to meet or requirements.

Can the scenario described above be done on the ACE?

Fabio Jorge · ‎12-29-2012

Hello Rick, let me understand more deeply. Do you want a single connection from client to Ace port 80 and 443. If the user calls http port Ace redirect to https and send to same vserver running the aplication. If the client calls https go to the same server above.

is it ok? If yes tell me and i send you the script to that.

Cheers

Fabio Jorge Amorim

rhaggart · ‎12-29-2012

Hello Fabio. I will try and clarify. Our application has secure (port 443) and non secure (port 80) pages. So waht we want is the client to be able to connect to be able to go back and forth between 443 and 80 connections and stick to the same server. The problem we have currently is that the sticky sessions on port 443 and port 80 are independent of each other so it is possible that the client is stuck to Server 1 for 443 and Server 2 for 80 which causes their application session ID to be reset when they switch between 443 and 80. Does that make sense?

Thanks for your help.

Rick

Fabio Jorge · ‎12-29-2012

Hello Rick, Now it´s clearly for me. I understood your problem. I would like to encorage you to do some change at your environment.

I have similar design but i work with application sharer between both servers.

I recomend you take a look at design below, sorry about English grammar mistakes. I´ve been studying hard to get English as second language.

===========> Customized probe especific to application <===========

---> I like to get information direct at application, in this case is deployed an espeficic url where I get the status <---

probe http HEALTH_CHECK_SITE_FARM01

port 8080

interval 30

passdetect interval 60

passdetect count 1

request method get url /validate/index.html

expect status 200 200

expect regex "validatet:OK"

!

===========> Rserver hosts <===========

rserver host SRV01

ip address 10.10.10.10

inservice

rserver host SRV02

ip address 10.10.10.11

inservice

===========> Creadte a http parameter <===========

parameter-map type http http_parameter_map

case-insensitive

persistence-rebalance

set header-maxparse-length 8192

===========> Create a farm with both servers <==========

serverfarm host FARM01

probe HEALTH_CHECK_SITE_FARM01

rserver SRV01 8080

inservice

rserver SRV02 8080

inservice

==========> Create a sticky to both servers <===========

---> This timeout is to browser expire, for example is the user idle during 2 minutes <---

sticky http-cookie FARM01 COOKIE_FARM01

cookie insert browser-expire

timeout 120

replicate sticky

serverfarm FARM01

!

==========> SSL terminator to serverfarm <===========

ssl-proxy service SSL-FARM01

key fabiojorgeamorim.com.br.key

cert fabiojorgeamorim.com.br.cer

chaingroup RSA-CA

!

==========> Policy to VIP <===========

---> I like to work with segregate policy, it´s good in caso of management etc <---

class-map match-all VIP-FARM01-HTTP

1 match virtual-address 10.10.20.10 tcp eq 80

!

class-map match-all VIP-FARM01-HTTPS

1 match virtual-address 10.10.20.10 tcp eq 443

!

==========> Policy to sticky/serverfarm com x-forward header http <===========

policy-map type loadbalance first-match policy_FARM01-HTTP

class class-default

sticky-serverfarm COOKIE_FARM01

insert-http SSL header-value "OFF"

insert-http x-forward header-value "%is"

!

==========> Policy to sticky/serverfarm com x-forward header https <===========

policy-map type loadbalance first-match policy_FARM01-HTTPS

class class-default

sticky-serverfarm COOKIE_FARM01

insert-http x-forward header-value "%is"

insert-http SSL header-value "ON"

!

==========> Here you can apply policy configuration and enable the application access <===========

policy-map multi-match PM_CTX01

class VIP-FARM01-HTTP

loadbalance vip inservice

loadbalance policy policy_FARM01-HTTP

loadbalance vip icmp-reply

appl-parameter http advanced-options http_parameter_map

!

class VIP-FARM01-HTTPS

loadbalance vip inservice

loadbalance policy policy_FARM01-HTTPS

loadbalance vip icmp-reply

appl-parameter http advanced-options http_parameter_map

ssl-proxy server SSL-FARM01

This scenario you will be able to permite both connection "http and https" to both servers and a single STICKY.

If you will go ahead let me know, it´s a pleasure to share some technical experiencies.

ACE example and topology

http://www.4shared.com/folder/pGkMpHxk/ACE_Example.html

I hope help you, let me know you have further question.

Regards

Fabio Jorge Amorim

rhaggart · ‎12-30-2012

Thanks very for the detailed example Fabio. We will test this approach and let you know the results.

Rick

ACE sticky routing where port 80 and port 443 stick on the same server