Forum Discussion

Guillaume_Rouss's avatar
Guillaume_Rouss
Icon for Nimbostratus rankNimbostratus
Mar 31, 2021

Multiple method persistence

Hello.

I need to setup load-balancing for a visio application, which is quite complex, as I don't need just to ensure session persistence for a single user, but for multiple users participating to the same conference. According to my understanding of reference documentation, I need to use an universal persistence profile (or eventually hash persistence profile, as it only differs by hashing lookup value), and write an iRule, such as:

when HTTP_REQUEST {
   # extract roomID from room parameter in query string
   set roomID [getfield [URI::query [HTTP::uri] room] "@" 1 ]
   if { $roomID != "" } {
       persist uie $roomID 3600
       log local0. "Using Jitsi room ID $roomID for persistence: [persist lookup uie $roomID]"
   }
}

Once a corresponding persistence profile assigned to the virtual server, it works as expected.

However, I also have to ensure persistence for authentication requests, this time with more classical requirements, ie every authentication requests for a given user must reach the same pool node.

I first considered the use of a fallback persistence profile (either cookie, ssl, or source address), so as to keep the irule simple. However, documentation discourage using fallback persistence for this purpose:

If Fallback persistence becomes the chosen persistence method, a Default persistence entry will not be created for the client connection until the Fallback persistence idle timeout period expires. Because of this, Fallback persistence may appear to override Default persistence and may not be a good choice. See Recommendations, following, for additional information.

So I added another clause in my iRule, still using uie method, but with client address as lookup key, hence reinventing simple persistence:

   if { [HTTP::path] starts_with "/Shibboleth.sso" } {
       persist uie [IP::client_addr] 3600
       log local0. "Using client IP adress for persistence: [persist lookup uie [IP::client_addr]]"
   }

According to the documentation, I may be able to mix persistence methods in a single iRule (one of the example given here mixes source_addr and cookie methods), but some of those methods (ssl, msrdp, cookie) also requires a corresponding persistence profile assigned to the virtual server. Whereas I already use an universal persistence profile.

So basically, I'm a bit lost among multiple options, especially the relation between persistence profiles and persistence methods, and I have a few questions:

  • Is there any recommended practice for using multiples persistence methods in a single iRule ?
  • if only ssl and cookie methods require a corresponding profile, what is the interest of using an universal persistence profile, instead of just assigning the persistence irule to the virtual server ?
  • If I'm assigning a cookie persistence profile and a persistence irule using uie method to the same virtual server, how will persistence work ?

I hope I have been clear enough 🙂 Thanks for your interest.

application delivery
iRules
load-balancing
LTM
persistence

3 Replies

Sort By
  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Apr 02, 2021

    You can write iRule to set source address or cookie persistence for authentication requests and attach it to the vip. 

    when HTTP_REQUEST { 
	switch -glob [string tolower [HTTP::uri]] {
	"/shibboleth.sso*" 
	{
	   persist source_addr 255.255.255.255 3600
    }
	default {
           return
	}
    }
}
    when HTTP_REQUEST { 
	switch -glob [string tolower [HTTP::uri]] {
	"/shibboleth.sso*" 
	{
	  persist cookie insert "ssocookie" 3600
    }
	 default {
          return
      }
 }  
}
  • Guillaume_Rouss's avatar
    Guillaume_Rouss
    Icon for Nimbostratus rankNimbostratus
    Apr 08, 2021

    Hello SanjayP, and thanks for your answer.

     

    I know I can write an iRule to use a single kind of persistence method, that is what I did already. My point is to use multiple kind of persistence methods, according to URL, such as:

    • every request with XXX parameter should use universal persistence method, with the XXX parameter value as key
    • every request with YYY parameter should use universal persistence method, with the YYY parameter value as key
    • every request whose path starts with /Shibboleth.sso should use cookie persistence method
    • other requests don't really need persistence, but may also use cookie persistence if it helps implementation

     

    Apparently, cookie-based persistence method requires cookie persistence profile, and I have trouble figuring precedence of persistence profiles over persistence methods specified in irules.

  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Apr 09, 2021

    It appears only option is to use either cookie for all, or source_addr for /shibboleth.sso* in iRule attached to the VIP and universal for default at the VIP level. 

    when HTTP_REQUEST { 
	switch -glob [string tolower [HTTP::uri]] {
	"/shibboleth.sso*" 
	{
	   persist source_addr 255.255.255.255 3600
    }
	default {
           return
	}
    }
}