[prev in list] [next in list] [prev in thread] [next in thread] 

List:       loadbalancing-l
Subject:    Re: [load balancing] Problems with using SSL Persistence with awebsite
From:       John Hall <j.hall () f5 ! com>
Date:       2003-01-15 19:47:40
[Download RAW message or body]


You are right that encoding the session identifier in the URL would
require SSL decryption on the BIG-IP.  In fact, most persistence methods
such as a server specific tag in the session identifier with a rule on
the BIG-IP or, in BIG-IP v4.5, Direct Node Selection (which allows you to
map a specific server to a tag in a header or segment of the URL using
classes) would require the SSL session to be terminated on the BIG-IP.
The only information that's accessible to you without decrypting the
session is the destination IP Address, Port, and the SSL Session ID.
If the SSL Session ID is not usable and you don't want to decrypt the
session, then you could, in addition to your main VS (virtual server)
for the site, create an additional VS (could be the same IP but a different
port) for each web server you are persisting to and when a particular
server is selected during the initial load balancing decision, have that
server return the <FRAMES> page containing links that direct the client to
the VS that maps directly to back that web server.  You then configure
a fallback redirect to the main web pool in the event that the web server
they are returning to has gone down.  The redirect would most likely
go to an error page and have the user restart the session, although
some applications may allow you to have a special server that can
recover a session based on a session ID in the encrypted part of the
connection.

I'm confident our Professional Services group would be able to help
you set up a working configuration.  This is not an unusual situation
for our customers.

JMH

-- 
John Hall
Core Test Manager
F5 Networks, Inc.

Vivek Jamwal wrote:
> 
> hey thanks john,
> 
> i am interested to find out more about the frames approach(encode
> a session identifier in the URL).
> Wo'nt the BIGIP still look at the SSL session ID and redirect
> traffic, and if the inline frames are requesting a new SSL ID,
> bigip will still route them to different servers as the bigip will
> still look at session id.
> We are looking at a way to do this as our application is
> completely coded...
> i tried a simple setup using pure HTML , with frames, and in a
> webpage with 3 frames. When we requested for the frames using IE
> the frames came from different webservers as each frame requested
> a new SSL session.
> 
> Can you please tell me how i can implement the URL encoding
> approach.
> Some more details and if possible some website where i can get
> more info, code samples...
> 
> Client is not ready to pay for the SSL accelerator card..:(
> 
> Thanks
> Vivek
____________________
The Load Balancing Mailing List
Unsubscribe:    mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive:        http://vegan.net/lb/archive
LBDigest:       http://lbdigest.com
MRTG with SLB:  http://vegan.net/MRTG
Hosted by:	http://www.tokkisystems.com

[prev in list] [next in list] [prev in thread] [next in thread]