Profile vs iRule, case sensitivity, persistence

Question

Super-simple question, as I'm pretty new to the F5's.  
&nbsp;  
&nbsp; We have a single sign on piece to our web site that requires the node that issued the SSO token to be the node that redeems the token. Normally this isn't a problem but one of our clients uses an intranet server to initiate the token request, then passes the token to the workstation requesting it, so it's two different systems that need to go to the same node. Luckfully, the SSO requests &amp; redemptions all go to a single 4-letter folder, let's call it /ABCD/. What I've read so far &amp; gleaned from class is you do Profiles first, then iRules. Less iRules the better. No Regex unless you absolutely have to.  
&nbsp;  
&nbsp; SO here's what I did: 
&nbsp;  
&nbsp; 1) Duplicated our main pool calling it the _SSO version of it, using priority activation (1, 2, 3, 4) and setting it to less than 1 member. That will keep all requests to one node unless that node becomes unavailable, then we switch to 2, 3, 4, etc. (tell me if I have this wrong) 
&nbsp; 2) Created a profile to catch the uri of /abcd/ and forward it to the _SSO pool. 
&nbsp;  
&nbsp; Thought I was so smart until I noticed it's case sensitive. It only works if the request is www.company.com/abcd/whatever.asmx - /ABCD/ isn't caught (because it doesn't match the /abcd/ I setup in the profile) 
&nbsp;  
&nbsp; So, I changed to an iRule, like the following: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;   if { [string tolower [HTTP::uri]] eq "/abcd/*" } {  
&nbsp;     pool Main_SSO 
&nbsp;   } 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; Is this the right direction I should go? Does anyone have a better solution? I thought about adding 16 entries to the profile (abcd, Abcd, ABcd, etc) but that seemed silly.  
&nbsp;  
&nbsp; What can I do to keep persistence to that _SSO pool after the workstations redeem the sso token? 
&nbsp;  
&nbsp;

kellys_50017 · Answer

I worked on this awhile longer this weekend, as I also noticed that persistence wasn't being kept after the token was redeemed. So, I have two irules (should they be combined?) 
&nbsp;  
&nbsp; Here's the first: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;    if { [string tolower [HTTP::uri]] starts_with "/abcd" } { 
&nbsp;       persist cookie insert SSO 
&nbsp;       pool SSO_Pool 
&nbsp;    } 
&nbsp; } 
&nbsp;  
&nbsp; And the second to keep them going to the SSO pool after they login: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;     if { [HTTP::cookie exists "SSO"] } { 
&nbsp;       pool SSO_Pool 
&nbsp;    } 
&nbsp; } 
&nbsp;  
&nbsp;  
&nbsp; Any issues with this? My limited testing seems great so far.  
&nbsp;  
&nbsp;  &nbsp;

hooleylist · Answer

You could combine the two rules into one.  Using HTTP::path will be more efficient than using HTTP::uri (which is the path and the query string).

when HTTP_REQUEST { 
    if { [HTTP::cookie exists "SSO"] } { 
       pool SSO_Pool 
    } elseif {[string tolower [HTTP::path]] starts_with "/abcd" } { 
       persist cookie insert SSO 
       pool SSO_Pool 
    } 
 }

That said, I'm not sure I understand your scenario completely.  It sounds like you've had to use a single pool member at a time in order to get this to work.  Could you instead have all four members set to the same priority and persist based on the four letter string in the URI along with UIE persistence?  If you think this is possible, could you post a few anonymized examples of the requested URIs for two or three clients as they access the application?  
  
 Aaron

kellys_50017 · Answer

Thanks for the reply and the re-work of my iRules - I tried it in our test env and it works great. I plan on putting this into Prod later today. 
&nbsp;  
&nbsp; I'll explain a hair more - 99% of our traffic goes against a regular pool. 1% of our traffic comes in through this single sign on applet, and the node that issues the token has to be the node that redeems the token. The client using this the most doesn't have the same machine ask for &amp; redeem the tokens - one server asks for the token, then passes it to another workstation to redeem it. So I needed a way to funnel all this SSO traffic to a single node, yet try to have some sort of HA available if the node goes down. 
&nbsp;  
&nbsp; I duplicated the pool the website runs on (adding _SSO to the end of the name) and turned on priority activation, and gave each node a number.  
&nbsp; Is there a better way to accomplish this? 
&nbsp;  &nbsp;

hooleylist · Answer

Based on your description, I think the configuration you've built is fine. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Profile vs iRule, case sensitivity, persistence

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Deploy High-Availability and Latency-sensitive workloads with F5 Distributed Cloud

How OneConnect Profile works with Cookie Persistence

Mitigation of OWASP API Security Risk: Unrestricted Access to Sensitive Business Flows using F5 XC

SSL Profiles

Server Profile SNI