Forum Discussion

Piyush_72418's avatar
Piyush_72418
Icon for Nimbostratus rankNimbostratus
Jan 06, 2010

persistence across two VIPs having 2 diff. pools and bypass SSL to node members

Hi,

 

 

I have 2 VIPs

 

 

1. vip_abc_http having pool abc_http_pool

 

2. vip_abc_https having pool abc_https_pool

 

 

now pool abc_http_pool has members like

 

192.168.1.101:80

 

192.168.1.102:80

 

192.168.1.103:80

 

 

and pool abc_https_pool has members like

 

192.168.1.101:443

 

192.168.1.102:443

 

192.168.1.103:443

 

 

I want to serve all the SSL cert /traffic from node / members

 

 

Please tell me - whats a good way to achieve following :-

 

 

1. bypass SSL certs (so that F5 BigIP LTM - 3600) dont' serve the SSL cert / traffic and ssl cert / traffic to be served by my members in pool abc_https_pool (from apache httpd/tomcat)

 

 

2. How can I achieve persistence across two VIPs vip_abc_http & vip_abc_https

 

I have tried having Cookie Insert persistence - but failed to get persistence to SAME node member whenever my session lands from http vip to https vip
application delivery
dev
devops
iRules

2 Replies

Sort By
  • Piyush_72418's avatar
    Piyush_72418
    Icon for Nimbostratus rankNimbostratus
    Jan 06, 2010
    I have tried applying following iRule on https VIP

     

     

    when RULE_INIT {

     

     

    }

     

     

    when CLIENTSSL_HANDSHAKE {

     

    persist ssl

     

    }

     

     

     

    when HTTP_REQUEST {

     

     

    persist source_addr 86400

     

     

     

    }

     

     

    but still peristence not working!
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 06, 2010
    If you're not decrypting the SSL for the HTTPS VIP, you can't inspect or modify the HTTP content for that VIP. As only one VIP is using SSL, you couldn't use SSL session ID persistence for both VIPs.

     

     

    You could create a custom source address persistence profile with "match across services" enabled and add that to both VIPs. If the virtual servers are not defined on the same IP address, you would also need to add "match across virtuals".

     

     

    See SOL5837 for details:

     

     

    SOL5837: Match Across options for session persistence

     

    https://support.f5.com/kb/en-us/solutions/public/5000/800/sol5837.html

     

     

    Aaron