Application Delivery (ADX)

Cookie switching and HTTP header insertion together with SSL offload

by on ‎06-01-2009 09:39 AM (170 Views)

Summary

Header insertion to distinguish whether the incoming connection was received on HTTP or SSL together with cookie switching/insertion for persistency reasons (to bind clients to the same backend server for HTTP and SSL traffic).

Specifics

There are a lot of setups which are using multiple front-end ports like HTTP and SSL which are bound to a single backend port like the HTTP port. A special header may be inserted in all requests being forwarded to the real-server to specify whether the connection was received on SSL, or on HTTP.

We are going to use a header with the nane "Connection-IsSecure" and the values "Yes" or "No".

The example below is using cookie persistency on top of HTTP header insertion. Cookie persistency is used to gain persistency for the HTTP and SSL services and as well for clients moving from HTTP to SSL.

Topology

CSW_Header_ClientIP_Cookie.jpg

Sample Script/Code/Configuration

ssl profile verisign128

keypair-file verisign128key

certificate-file verisign128cert

cipher-suite all-cipher-suites

session-cache off

!

csw-rule "cookie-persist" header "Cookie" search "ServerID="

!

csw-policy "policy-http"

match "cookie-persist" persist offset 0 length 4 group-or-server-id

match "cookie-persist" rewrite request-insert header "Connection-IsSecure: NO"

match "cookie-persist" rewrite request-insert client-ip

default forward 1

default rewrite insert-cookie "ServerID"

default rewrite request-insert header

default rewrite request-insert client-ip

csw-policy "policy-ssl"

match "cookie-persist" persist offset 0 length 4 group-or-server-id

match "cookie-persist" rewrite request-insert header "Connection-IsSecure: YES"

match "cookie-persist" rewrite request-insert client-ip

default forward 1

default rewrite insert-cookie "ServerID"

default rewrite request-insert header

default rewrite request-insert client-ip

!

server real rs18 20.1.1.18

port http

port http url "HEAD /"

port http server-id 1024

port http group-id  1 1

port 8080

port 8080 server-id 1024

port 8080 group-id  1 1

!

server real rs19 20.1.1.19

port http

port http url "HEAD /"

port http server-id 1025

port http group-id  1 1

port ssl

port 8080

port 8080 server-id 1025

port 8080 group-id  1 1

!

server virtual vip20 20.1.1.10

port http

port http csw-policy "policy-http"

port http csw

port ssl

no port ssl sticky

port ssl ssl-terminate verisign128

port ssl csw-policy "policy-ssl"

port ssl csw

bind http rs18 http rs19 http

bind ssl rs18 8080 real-port http rs19 8080 real-port http


ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.

Verification

- show server bind

- show csw-policy policy1

Verify that the real servers are bound to the virtual server and verify that they are UP (Active):

SLB-ServerIron#show server binding
Bind info   Virtual server: vip20                    Status: enabled  IP: 20.1.1.10
http -------> rs18: 20.1.1.18,  http (Active)
               rs19: 20.1.1.19,  http (Active)
  ssl -------> rs18: 20.1.1.18,  8080 (Active-Active)
               rs19: 20.1.1.19,  8080 (Active-Active)
SLB-ServerIron#

"show csw-policy" shows detailed information about policy and rules, the times they were hit etc. In our case there were 9 hits for the persistency part of the policy and a single hit for the default path:

    SLB-ServerIron#sho csw-policy policy-ssl
     Policy Name          : policy-ssl

        Policy Type          : Content Switching
    Policy index         : 1
    Reference Count      : 2
    total received packet: 0    
        created session      : 0                total scanned packet: 0
    no session drop      : 0                no session frag drop: 0
    send mirror ip packet: 0                send mirror packet  : 0    
        send redirect packet : 0                case-insensitive    : FALSE

        Action code description:
    fwd: forward    rst: reset-client       per: persist
    rdr: redirect   err: reply-error        got: goto
    rwt: rewrite    mir: mirror             log: log
    con: count      drp: drop       rec: vir-reset
    red: cont-red   mip: mirror-ip  unk: unknown

        Flag description:
    A: insert-cookie        B: delete-cookie        C: destroy-cookie
    D: req-ins-hdr          E: req-ins-client-ip    F: resp-ins-hdr
    G: delete-content       H: insert-content       I: modify-content
     L: log

        Rule Name   |Act|Data1     |Data2     |Data3     |Flags     |Hit Cnt
       ---------------------------------------------------------------
    cookie-persi|     |      |               |     |9          |      
        cookie-persi|per|0         |4         |group-or-s|___DE____ |9  
        ---------------------------------------------------------------
    default     |     |      |               |     |1          |      
        default     |fwd|1         |          |N/A       |A__DE____ |1  
        ---------------------------------------------------------------


    SLB-ServerIron#