I have configured a service with a VIP listening on 443, at the minute both servers at the backend are using self signed certificates but eventually SSL will be terminated on ACE.
My requirement is to configure sticky sessions using http-cookie, i have configured it but ACE is not working as expected.
The user logs into the server and while browsing they get kicked to the second server and are prompted to login page again.
is it because the ACE can't extract the cookie from encrypted text or it is something else.
My config is very simple, please find it below.
serverfarm host SSDSD_SF
rserver SSDSD-AL2 443
conn-limit max 4000000 min 4000000
rserver SSDSD-AL3 443
sticky http-cookie JSESSIONID SSDSD_Sticky_SF2
lass-map match-all SSDSD_443_WEB
2 match virtual-address 10.xx.xx.xx tcp eq https
policy-map type loadbalance first-match SSDSD_443_WEB-l7slb
loadbalance vip inservice
loadbalance policy SSDSD_443_WEB-l7slb
loadbalance vip icmp-reply active
You are correct. ACE has no way to look into HTTP header since it is encrypted. For ACE to do HTTP based stickyness, you should terminate SSL on ACE or as temporary workaround use source based sticky.
Hope this helps!
Thanks once again for your prompt reply, what will happen if i terminate the SSL on ACE and the backend servers are also listening on 443??
Will the ACE be able to decrypt the data and extract the cookie out of it or will it go through the ACE and the real server will deal with it.
In that case you will need to do END-TO-END SSL and ACE would be able to decrypt traffic and take decision on the basis of information contained in HTTP header. You can have more details regarding End to End ssl in below link.
Please let me know if you have any questions.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: