Forum Discussion

tottenc's avatar
tottenc
Icon for Nimbostratus rankNimbostratus
May 21, 2010

Question on Select_pool_member_based_on_ HTTP_query_string_parameter iRule

I'm new to iRules as well as the f5's, and I've been trying to use the functionality from the Select_pool_member_based_on_ HTTP_query_string_parameter I found on devcentral. I've changed it so that it uses the new 'members' method which gets all of the members of the pool regardless of status, and that is working perfectly. The problem I've run into however is that I have this setup on 2 virtual servers, one of which is for http and one is for https. The https virtual server is doing SSL offload so the pool that's associated with it is the same as what's setup in the http virtual server. When I browse to the site I can select the member that I want with the parameter, and the cookie persistence works correctly, however during the course of the website, there is a transition from http to https and this seems to cause the browser to detect that there is a redirection problem, and I get a browser error. If I remove the iRule from the https virtual server when I hit the transition I get loadbalanced as normal. I've verified this by disabling the second server in the pool, and specifying it as the member I want to hit, but when I get to the https part of the site, I can see that I've been sent back to the first server in the pool which is the active member. Anyone have any ideas on how I can maintain the persistence correctly from http to https?

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 24, 2010
    Hi,

     

     

    Can you enable debug on the iRule and post the anonymized log output from /var/log/ltm when a failure occurs?

     

     

    Is the client switching from using an IP address to a hostname or vice versa? If so the client won't send the cookie when the HTTP host value changes.

     

     

    Aaron
  • tottenc's avatar
    tottenc
    Icon for Nimbostratus rankNimbostratus
    May 24, 2010
    Hey Aaron,

     

     

    The client is staying on hostname throughout the site so I don't think that would cause the problem.

     

     

    I enabled debugging and got the following:

     

     

    Page works fine(http):

     

     

    Mon May 24 12:13:22 CDT 2010 info local/tmm1 tmm1[27755] Rule member-select : 10.210.xx.xx:57385: Inserting cookie member=2

     

    Mon May 24 12:13:22 CDT 2010 info local/tmm1 tmm1[27755] Rule member-select : 10.210.xx.xx:57385: Successfully selected: 10.209.xx.xx 80

     

    Mon May 24 12:13:22 CDT 2010 info local/tmm1 tmm1[27755] Rule member-select : 10.210.xx.xx:57385: Parsed IP port: 10.209.xx.xx 80

     

    Mon May 24 12:13:22 CDT 2010 info local/tmm1 tmm1[27755] Rule member-select : 10.210.xx.xx:57385: Query contained the member parameter or member cookie was present. Parsed member cookie value: 2

     

    Mon May 24 12:13:22 CDT 2010 info local/tmm1 tmm1[27755] Rule member-select : 10.210.xx.xx:57385: Active members for pool F5-www (sorted): {10.209.xx.xx 80} {10.209.xx.xx 80}

     

    Mon May 24 12:13:22 CDT 2010 info local/tmm1 tmm1[27755] Rule member-select : 10.210.xx.xx:57385: Debug enabled on GET request for www.mytestURL.com/images/Base/button-standard-bg.gif

     

     

     

    Page failure(transition to https):

     

     

    Mon May 24 12:23:20 CDT 2010 info local/tmm tmm[27754] Rule member-select : 10.210.xx.xx:57601: Inserting cookie member=2

     

    Mon May 24 12:23:20 CDT 2010 info local/tmm tmm[27754] Rule member-select : 10.210.xx.xx:57601: Successfully selected: 10.209.xx.xx 80

     

    Mon May 24 12:23:20 CDT 2010 info local/tmm tmm[27754] Rule member-select : 10.210.xx.xx:57601: Parsed IP port: 10.209.xx.xx 80

     

    Mon May 24 12:23:20 CDT 2010 info local/tmm tmm[27754] Rule member-select : 10.210.xx.xx:57601: Query contained the member parameter or member cookie was present. Parsed member cookie value: 2

     

    Mon May 24 12:23:20 CDT 2010 info local/tmm tmm[27754] Rule member-select : 10.210.xx.xx:57601: Active members for pool F5-www (sorted): {10.209.xx.xx 80} {10.209.xx.xx 80}

     

    Mon May 24 12:23:20 CDT 2010 info local/tmm tmm[27754] Rule member-select : 10.210.xx.xx:57601: Debug enabled on GET request for www.mytestURL.com/Contact.aspx

     

     

    This repeats several times for each page hit and on the pages that work, the GET changes for each page item it is retreiving images/css/js etc. For the ones that fail, it repeats the www.mytestURL.com/Contact.aspx rather than getting any further.

     

     

    Curtis
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 24, 2010
    Hi Curtis,

     

     

    Can you un-anonymize the pool member IP addresses? If they're internal networks, there shouldn't be a security concern with posting the actual IP's.

     

     

    Thanks, Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 24, 2010
    So it looks like the member selection is succeeding in that the .65:80 member is selected for both requests. Is that what you're seeing?

    Is it possible that the application isn't handling the manually inserted parameter name/value? You could test this by removing it from the URI in HTTP_REQUEST before the request is sent to the pool member: 

        Use a workaround to parse the parameter value from the query string
    described on http:// devcentral.f5.com/wiki/default.aspx/iRules/uri__query
   set param_value [URI::query "?&[HTTP::query] "&$member_param"]
    Save a copy of the URI with the param and value removed
   set uri [string map [list "$member_param=$param_value" ""] [HTTP::uri]]
    Replace && with & in the updated query string if && is present and set the URI to this
   HTTP::uri [string map "&& &" $uri]

    Aaron
  • tottenc's avatar
    tottenc
    Icon for Nimbostratus rankNimbostratus
    May 24, 2010
    I actually just found what was causing the problem. The SSL offload had been setup a while back, and was tested as working then. In the meantime, I was working on getting this iRule working, and someone had broken the SSL offload. I've been able to fix that, and it's working like a champ now! I'm not sure why when I removed the iRule it was working, but I can get through the transition without problems now, so that's all that matters. Thanks for the help!