Forum Discussion

Claes_16473's avatar
Claes_16473
Icon for Nimbostratus rankNimbostratus
Nov 24, 2011

How can I evenly persist traffic from only 2 clients(Apache) against 2 application servers based on source IP address ?

Hello,

 

 

I'm new on irules and need some help.

 

We need to loadbalance some web applications through the BIG-IP in the following manner:

 

 

In step 1 the first VIP load balances the SSL traffic(passthrough in the BIG-IP) against two Apache servers. This traffic will be more or less evenly distributed against the two pool members because of the diversity in source addresses from the clients.

 

Persistence can be accomplished by a normal persistence profile based on source address affinity, connected to the virtual server. If there are no other requirements for persistence, we will keep a persistence timeout equal to the SSL session idle timeout.

 

 

The Apache servers will decrypt the traffic and authenticate the users with help of the client certificates and a special security product.

 

The traffic will then be reencrypted and sent to the second BIG-IP VIP(SSL passthrough again) with the purpose to load balance against the 2 application servers for the moment.

 

But now we will only have the two Apache servers source ip addresses as clients and a big risk that the whole traffic for longer times will be directed against the same pool member. Also here we want the same persistence timeout as in step 1.

 

 

How can I accomplish with an irule or otherwise that the traffic in step 2 will be evenly ditributed against the two application server nodes i.e. that traffic from Apache 1 will always go to destination server 1 if the monitoring tells it's up and Apache server 2 traffic will go to destination server 2 ? There could be other reasons(application HTTP session timeout) to keep the client persistent to the same server for longer time than the SSL session timeout value. If the first server is brought down for any reason then it will be necessary of course to send Apache 1 traffic against application server 2. But what would happen then when server 1 is available again and some "normal server 1 users" have persistence against server 2.

 

Please advise!

 

 

Kind Regards

 

 

Claes
application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 28, 2011
    Hi Claes,

     

     

    If it's encrypted traffic using client certs, I don't see much you could for this other than setting the load balancing algorithm to least connections.

     

     

    Aaron
  • Claes_16473's avatar
    Claes_16473
    Icon for Nimbostratus rankNimbostratus
    Dec 06, 2011
    Hi Aaaron,

     

     

    Thanks for your reply. Didn't see it though because I'm on a little longer sick leave. Couldn't help looking in today from home. I've looked around a little on this site and made an irule similar to this. I've tested it on non encrypted traffic and it worked well. Shouldn't it work as well for SSL-passthrough as the IP-addresses are not encrypted ? Please see questions below about persistence.

     

     

    when CLIENT_ACCEPTED {

     

    if { [IP::addr [IP::client_addr] equals 10.0.0.1] } {

     

    if { [LB::status pool pool_x member 10.100.0.1 443] eq "down" } {

     

    pool pool_x

     

    } else {

     

    pool pool_x member 10.100.0.1 443

     

    } elseif { [IP::addr [IP::client_addr] equals 10.0.0.2] } {

     

    if { [LB::status pool pool_x member 10.100.0.2 443] eq "down" } {

     

    pool pool_x

     

    } else {

     

    pool pool_x member 10.100.0.2 443

     

    }

     

    } else {

     

    pool pool_x

     

    }

     

    }

     

     

    Apache 1 is 10.0.0.1

     

    Apache 2 is 10.0.0.2

     

     

    Target server 1 is 10.100.0.1

     

    Target server 2 is 10.100.0.2

     

     

    Apache 1 will always go against server pool member 1 if it's up, otherwise "the pool" will choose pool member 2.

     

     

    Apache 2 will always go against server pool member 2 if it's up, otherwise "the pool" will choose pool member 1.

     

     

    If another unknown caller of the VIP, then one of the servers will be chosen via the pool.

     

     

    What I didn't get time to test is persistence.

     

    Normally I shouldn't need persistence because the irule itself persists one to one.

     

    But say that the application requires 10 minutes persistence for any reason and I'll configure it by "source address affinity".

     

    Will persistence be overrided by my own directing of the traffic via the pool command?

     

    The only situation in which I think configuring of persistence could be good is:

     

    If server 1 goes down, the irule will choose server 2 also for Apache 1. When server 1 comes back up again, if Apache 1 as a client has a persistence record against server 2, and if persistence overrides my irule, then no application user will be interruped. Server 1 will be chosen again for Apache 1 first after 10 minutes idle time.

     

    The drawback is that if the traffic flows evenly during rush hours, then the persistence time will never run out for a longer time and all traffic from both Apaches will be directed to server 2. So maybe the irule works better without persistence or maybe with a couple of minutes persistence, but I'm still curious.

     

    Hope the text and irule looks OK because I couldnt cut and paste it from my notepad text source. Forgot to mention that I'm running LTM 9.4.8 HF3.

     

     

    Regards

     

     

    Claes