12-28-2012 04:20 PM
We have a server load balancing configuration where we want incoming site visitors to stick to the same physical server regardless of whether they entered on port 80 or port 443 (SSL terminated by ACE). For example, if an incoming site visitors arrives on Port 80 and sticks to Server 1, if that user then clicks on a secure port 443 link, we want them to stay on Server 1 on Port 443. In our current configuration, we can get them to stick to one server on Port 80 and Port 443 independently, but we have not been able to find a way to ensure visitors who are stuck on Server 1 on Port 80, will also be stuck Server 1 if they switch to Port 443. Ideally, the sticky sessions would be based on our application session cookie, but we could also use source IP or cookie insert if it was required to meet or requirements.
Can the scenario described above be done on the ACE?
12-29-2012 11:03 AM
Hello Rick, let me understand more deeply. Do you want a single connection from client to Ace port 80 and 443. If the user calls http port Ace redirect to https and send to same vserver running the aplication. If the client calls https go to the same server above.
is it ok? If yes tell me and i send you the script to that.
Cheers
Fabio Jorge Amorim
12-29-2012 12:37 PM
Hello Fabio. I will try and clarify. Our application has secure (port 443) and non secure (port 80) pages. So waht we want is the client to be able to connect to be able to go back and forth between 443 and 80 connections and stick to the same server. The problem we have currently is that the sticky sessions on port 443 and port 80 are independent of each other so it is possible that the client is stuck to Server 1 for 443 and Server 2 for 80 which causes their application session ID to be reset when they switch between 443 and 80. Does that make sense?
Thanks for your help.
Rick
12-29-2012 03:26 PM
Hello Rick, Now it´s clearly for me. I understood your problem. I would like to encorage you to do some change at your environment.
I have similar design but i work with application sharer between both servers.
I recomend you take a look at design below, sorry about English grammar mistakes. I´ve been studying hard to get English as second language.
===========> Customized probe especific to application <===========
---> I like to get information direct at application, in this case is deployed an espeficic url where I get the status <---
probe http HEALTH_CHECK_SITE_FARM01
port 8080
interval 30
passdetect interval 60
passdetect count 1
request method get url /validate/index.html
expect status 200 200
expect regex "validatet:OK"
!
===========> Rserver hosts <===========
rserver host SRV01
ip address 10.10.10.10
inservice
rserver host SRV02
ip address 10.10.10.11
inservice
===========> Creadte a http parameter <===========
parameter-map type http http_parameter_map
case-insensitive
persistence-rebalance
set header-maxparse-length 8192
===========> Create a farm with both servers <==========
serverfarm host FARM01
probe HEALTH_CHECK_SITE_FARM01
rserver SRV01 8080
inservice
rserver SRV02 8080
inservice
==========> Create a sticky to both servers <===========
---> This timeout is to browser expire, for example is the user idle during 2 minutes <---
sticky http-cookie FARM01 COOKIE_FARM01
cookie insert browser-expire
timeout 120
replicate sticky
serverfarm FARM01
!
==========> SSL terminator to serverfarm <===========
ssl-proxy service SSL-FARM01
key fabiojorgeamorim.com.br.key
cert fabiojorgeamorim.com.br.cer
chaingroup RSA-CA
!
==========> Policy to VIP <===========
---> I like to work with segregate policy, it´s good in caso of management etc <---
class-map match-all VIP-FARM01-HTTP
1 match virtual-address 10.10.20.10 tcp eq 80
!
class-map match-all VIP-FARM01-HTTPS
1 match virtual-address 10.10.20.10 tcp eq 443
!
==========> Policy to sticky/serverfarm com x-forward header http <===========
policy-map type loadbalance first-match policy_FARM01-HTTP
class class-default
sticky-serverfarm COOKIE_FARM01
insert-http SSL header-value "OFF"
insert-http x-forward header-value "%is"
!
==========> Policy to sticky/serverfarm com x-forward header https <===========
policy-map type loadbalance first-match policy_FARM01-HTTPS
class class-default
sticky-serverfarm COOKIE_FARM01
insert-http x-forward header-value "%is"
insert-http SSL header-value "ON"
!
==========> Here you can apply policy configuration and enable the application access <===========
policy-map multi-match PM_CTX01
class VIP-FARM01-HTTP
loadbalance vip inservice
loadbalance policy policy_FARM01-HTTP
loadbalance vip icmp-reply
appl-parameter http advanced-options http_parameter_map
!
class VIP-FARM01-HTTPS
loadbalance vip inservice
loadbalance policy policy_FARM01-HTTPS
loadbalance vip icmp-reply
appl-parameter http advanced-options http_parameter_map
ssl-proxy server SSL-FARM01
This scenario you will be able to permite both connection "http and https" to both servers and a single STICKY.
If you will go ahead let me know, it´s a pleasure to share some technical experiencies.
ACE example and topology
http://www.4shared.com/folder/pGkMpHxk/ACE_Example.html
I hope help you, let me know you have further question.
Regards
Fabio Jorge Amorim
12-30-2012 12:24 AM
Thanks very for the detailed example Fabio. We will test this approach and let you know the results.
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide