Application Delivery (ADX)

Cookie switching and HTTP header insertion together with SSL offload

by on ‎06-01-2009 07:39 AM (1,784 Views)

Summary

 

Header insertion to distinguish whether the incoming connection was received on HTTP or SSL together with cookie switching/insertion for persistency reasons (to bind clients to the same backend server for HTTP and SSL traffic).

 

Specifics

 

There are a lot of setups which are using multiple front-end ports like HTTP and SSL which are bound to a single backend port like the HTTP port. A special header may be inserted in all requests being forwarded to the real-server to specify whether the connection was received on SSL, or on HTTP.

 

We are going to use a header with the nane "Connection-IsSecure" and the values "Yes" or "No".

 

The example below is using cookie persistency on top of HTTP header insertion. Cookie persistency is used to gain persistency for the HTTP and SSL services and as well for clients moving from HTTP to SSL.

 

Topology

CSW_Header_ClientIP_Cookie.jpg

Sample Script/Code/Configuration

 

ssl profile verisign128
keypair-file verisign128key
certificate-file verisign128cert
cipher-suite all-cipher-suites
session-cache off
!
csw-rule "cookie-persist" header "Cookie" search "ServerID="
!
csw-policy "policy-http"
match "cookie-persist" persist offset 0 length 4 group-or-server-id
match "cookie-persist" rewrite request-insert header "Connection-IsSecure: NO"
match "cookie-persist" rewrite request-insert client-ip
default forward 1
default rewrite insert-cookie "ServerID"
default rewrite request-insert header
default rewrite request-insert client-ip
 
csw-policy "policy-ssl"
match "cookie-persist" persist offset 0 length 4 group-or-server-id
match "cookie-persist" rewrite request-insert header "Connection-IsSecure: YES"
match "cookie-persist" rewrite request-insert client-ip
default forward 1
default rewrite insert-cookie "ServerID"
default rewrite request-insert header
default rewrite request-insert client-ip
!
server real rs18 20.1.1.18
port http
port http url "HEAD /"
port http server-id 1024
port http group-id  1 1
port 8080
port 8080 server-id 1024
port 8080 group-id  1 1
!
server real rs19 20.1.1.19
port http
port http url "HEAD /"
port http server-id 1025
port http group-id  1 1
port ssl
port 8080
port 8080 server-id 1025
port 8080 group-id  1 1
!
server virtual vip20 20.1.1.10
port http
port http csw-policy "policy-http"
port http csw
port ssl
no port ssl sticky
port ssl ssl-terminate verisign12
port ssl csw-policy "policy-ssl"
port ssl csw
bind http rs18 http rs19 http
bind ssl rs18 8080 real-port http rs19 8080 real-port http

ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.

 

Verification

 

- show server bind

- show csw-policy policy1

 

Verify that the real servers are bound to the virtual server and verify that they are UP (Active):

 

SLB-ServerIron#show server binding
Bind info   Virtual server: vip20                    Status: enabled  IP: 20.1.1.10
http -------> rs18: 20.1.1.18,  http (Active)
               rs19: 20.1.1.19,  http (Active)
  ssl -------> rs18: 20.1.1.18,  8080 (Active-Active)
               rs19: 20.1.1.19,  8080 (Active-Active)
SLB-ServerIron#

"show csw-policy" shows detailed information about policy and rules, the times they were hit etc. In our case there were 9 hits for the persistency part of the policy and a single hit for the default path:

 

    SLB-ServerIron#sho csw-policy policy-ssl
     Policy Name          : policy-ssl

        Policy Type          : Content Switching
    Policy index         : 1
    Reference Count      : 2
    total received packet: 0    
        created session      : 0                total scanned packet: 0
    no session drop      : 0                no session frag drop: 0
    send mirror ip packet: 0                send mirror packet  : 0    
        send redirect packet : 0                case-insensitive    : FALSE

        Action code description:
    fwd: forward    rst: reset-client       per: persist
    rdr: redirect   err: reply-error        got: goto
    rwt: rewrite    mir: mirror             log: log
    con: count      drp: drop       rec: vir-reset
    red: cont-red   mip: mirror-ip  unk: unknown

        Flag description:
    A: insert-cookie        B: delete-cookie        C: destroy-cookie
    D: req-ins-hdr          E: req-ins-client-ip    F: resp-ins-hdr
    G: delete-content       H: insert-content       I: modify-content
     L: log

        Rule Name   |Act|Data1     |Data2     |Data3     |Flags     |Hit Cnt
       ---------------------------------------------------------------
    cookie-persi|     |      |               |     |9          |      
        cookie-persi|per|0         |4         |group-or-s|___DE____ |9  
        ---------------------------------------------------------------
    default     |     |      |               |     |1          |      
        default     |fwd|1         |          |N/A       |A__DE____ |1  
        ---------------------------------------------------------------


    SLB-ServerIron#