Forum Discussion

RupeshK_342180's avatar
RupeshK_342180
Icon for Nimbostratus rankNimbostratus
Nov 27, 2017

Uuniversal persistence for HTTPS

Hi,

 

We've a requirement where we want to do the load balancing from the server side itself. As of now, we suggest to use the "source address affinity" but the issue with this profile is; if one server goes down and comes back again we see that all the client request start going to only one server which was up all the time and load balancing does not happen.

 

After going through some of the docs, I'm considering to use "universal persistence" profile but I could not find any example on how to read HTTPS header in irule (except http example, https://support.f5.com/csp/article/K7392). I was thinking of adding "TO-XXX-ID" in server response and "TO-XXX-ID" will be used by the client header in future requests based on the client header "TO-XXX-ID" value load balancer would forward the request to correct server. Here XXX will be serverID which will decided based on the load on the servers.

 

Please provided you suggestions.

 

Thanks, Rupesh

 

application delivery
BIG-IP
iRules

1 Reply

Sort By
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Nov 28, 2017

    First are you off loading SSL to the F5s? If not you will not be able to read any of the HTTP Requests/Responses.

     

    If needed to be HTTPS to the Server apply a Client and Server SSL Profile to re-encrypt the traffic.

     

    Once done recommend you simply apply a standard Cookie Persistence profile.

     

    You issue of all traffic sticking to a single pool member after a pool member has gone down and is now back up is a common one. Getting timing of your persistence to match the application will minimise this but most like need to wait for connection to bleed from the one pool member which should happen over time.

     

    If this is a huge issue might want to look at additional back end servers or a manual step to clean down the connections, but this would disrupt many of the user sessions.

     

    Hope this helps.