Forum Discussion

Jose_Santiago_O's avatar
Jose_Santiago_O
Icon for Nimbostratus rankNimbostratus
Jan 07, 2009

Pool redirection based on cookie using SSL Termination.

Hi,

Is it possible to verify if a cookie exists using SSL Termination?

I have this rule:

 
 when HTTP_REQUEST { 
       if { [HTTP::cookie exists "MyCookie"] } { 
 pool mynewpool} 
 else { 
 pool myoldpool} 
 } 
 

But It's not working, may be I am using the wrong event, when I test my page, it keeps loading forever until I disable the rule.

I have a Client SSL profile in my virtual server with no Server SSL profile, the idea is to redirect the users to a new pool of servers only if they have a cookie.

Is there a way I can do that?

Regards,

Jose Santiago Oyervides.

5 Replies

  • Hi All,

     

     

    I am new to I-rules and need help with switching between ssl profiles. Here is a description of my scenario:-

     

     

    1) I have a vurtual server that listens on port 443.

     

    2) This virtual server has 2 webservers as pool members both hosting different pages at different root contexts. What I mean is both pool memebrs host https://mylabs.local.com and https://mylabs.local.com/new/order

     

    3)I have a ssl profile attached to the above mentioned virtual server.

     

     

    My question is:-

     

     

    1) I want to use clinet authentication when the uri contains /new/order, but if the incoming request is https://mylabs.local.com then it should not ask for client authntication.

     

    2) Can I do this using an I-Rule and if yes can you outline it for me

     

    3) Also do I need to have 2 ssl profiles on the LB one that is simple and the other that has client auth certificate as this will be called by the I-Rule.

     

  • Hi Jose,

     

     

    Your logic looks good, you might need to use a OneConnect profile on the virtual server that the rule is attached to (since the rule will be evaluated on every http request and you want to ensure the client connects to the same server). You might also need a persist statement if persistence isn't set on the virtual.

     

     

    Puneet, you should probably start a new post for your topic rather than attaching an unrelated question on this one.

     

     

    Denny
  • Hi Denny,

     

    Thanks for your response, I added a oneconnect profile (with mask 255.255.255.255) and source address persistance and my virtual servers still isn't working, until I remove the irule.

     

     

    Any other ideas?

     

     

    Jose Oyervides.
  • Hmm...not sure where else to start other than adding some logging to see if you're even getting into the rule:

       
       when HTTP_REQUEST {    
              if { [HTTP::cookie exists "MyCookie"] } {   
                    log local0. "Found cookie"    
        pool mynewpool    
                    } else {   
                    log local0. "No cookie"    
        pool myoldpool   
          }    
        }    
       

    I moved the brackets around a bit too, I don't think it matters as long as it compiles in the GUI but ??

    Denny
  • Hi Penny,

     

     

    After adding logging to my rule, I realized I was doing something wrong in my rule. I was redirecting to the wrong pool, after fixing that it now works fine.

     

     

    Thanks a lot for your help.

     

     

    Jose Santiago Oyervides.