Forum Discussion

EdH_135054's avatar
EdH_135054
Icon for Nimbostratus rankNimbostratus
Oct 15, 2013

SSL and sticky sessions (offload at app server)

We are for better or worse offloading SSL based transactions at the application server. The F5 is responsible for port translation 443 to 9002 and needs to establish a sticky session. However we are told that a sticky session is impossible given the traffic is encrypted. That is, F5 does not know how to associate the request to a persistent connection.

 

The fix provided by F5 tech is to perform an SSL Offload at the F5, re-encrypt and send to app server. In this way, they can establish a sticky session. The application uses JSESSIONID.

 

Question, is this the way to do this? Seems like there should be another way.

 

Newbi

 

application delivery
deployment
devops
iRules

5 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 15, 2013

    If you're decrypting and re-encrypting, and this is HTTP traffic, the EASIEST and most stable mechanism is cookie persistence. The persistence cookie is inserted into the egress flow and returned on each request. To use the JSESSIONID, you must create an iRule that parses this value from the requests and/or responses and maintains a session table entry for the connection.

     

    If you cannot decrypt and re-encrypt the SSL, your persistence option becomes limited to source address.

     

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 15, 2013
    ssl cookie peristance works for the case where ssl is not terminated. Whats the F5 do exactly? whats 9002 for?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 15, 2013
    SSL cookie persistence isn't a thing. There's HTTP cookie persistence for decrypted/unencrypted HTTP traffic, and SSL sessionid for SSL traffic. I'd add that SSL sessionid is generally unreliable as it can change any time the browser or server initiates an SSL renegotiation.
  • EdH_135054's avatar
    EdH_135054
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2013

    Thanks folks. Will forward to our network admin.

     

    To answer an earlier question port 9002 is the port hybris listens on for SSL traffic.