Forum Discussion

JohnTempleton_4's avatar
JohnTempleton_4
Icon for Nimbostratus rankNimbostratus
Nov 09, 2010

Persistence on HTTPS using iRules

Hi Guys,

 

 

I am very new to irules so please be patient with me :-)

 

 

My scenario is:

 

 

- application load balanced between two datacenters

 

- application uses HTTPS

 

- mobile clients access the app online via mobiles & internet

 

 

I need to setup some sort of persistence but here is my problem, the application cannot use SSL offload, we cannot use source based as the mobile clients use NAT addresses from the provider and change every couple of minutes and we cannot use destination as we need to load balance across sites.

 

 

My thinking was along the lines of using an irule to inject a unique identifier into the header but I'm not sure if this is possible and where to begin.

 

 

Can someone please advise?

 

 

Kind Regards,

 

JT

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • naladar_65658's avatar
    naladar_65658
    Icon for Altostratus rankAltostratus
    Nov 09, 2010
    The problem that I see with that is that you are going to be passing traffic over SSL and not decrypting it. When you say the application cannot use SSL offload, well what about passing through the F5, decrypting your packets and then re-encrypting your packets with the same SSL certificate before passing it back on to the server over port 443? I just do not see how you can pull off persistence because you are really limited in the type of Events that you can call on because the traffic is encrypted.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 09, 2010
    Naladar's right on here. The only methods I see that work here would either require decryption or a consistent address/port combination.
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Nov 09, 2010
    JT: would it be possible to re-encrypt this traffic? That way you'll be able to meet all of your requirements. The basic idea is: Terminate SSL on the BigIP, do your L7 persistence (insert a cookie, etc.), then re-encrypt to the back end. The servers are none the wiser so I'd expect this will work fine for you.

     

     

    -Matt