Hi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
- An ACE load balance user requests on two Apache servers
- cookie-insert is used to stick a user on one Apache server
- The home page is accessed via http on port 80
- On the Home page, there is a link to allowing the user to login
- The login process uses SSL
- During the login, backend SSL is required between the ACE and the selected Apache server
- The login is a POST request to the Apache server
- After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
- Two sticky groups are configured : one for HTTP acess and another for HTTPS access
- Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
- In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
- R105816849 for the server HQCHECOM01
- R105852786 for the server HQCHECOM02
- In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
- R355972695 for the server HQCHECOM01
- R357158616 for the server HQCHECOM02
- I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
- When the the home page is originally loaded, the ACE selects SERVER-1
- The ACE inserts the cookie "A" in the server responses
- The user is sticked to SERVER-1
- Then, the user tries to login and an SSL session is established with the ACE
- The user sends a POST request containing the cookie "A"
- A backend SSL session is established with SERVER-1
- The POST request is forwarded to SERVER-1
- SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
- The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
- The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
- But instead, the ACE perform another load balancing decision and selects SERVER-2 !
- The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
----------------------------------------------------------
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
----------------------------------------------------------
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
----------------------------------------------------------
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE...
