Application Delivery (ADX)

Cookie switching together with SSL offload

by on ‎05-08-2009 01:00 AM - edited on ‎10-30-2013 05:45 PM by bcm1 (1,358 Views)

Summary

 

We want to enable persistance to the same server using cookies while doing SSL offload and acceleration concepts and examples at the same time.

 

To achieve persistence, we will insert cookies in all connections coming from new clients. We will layer-4 load-balance the connections, and at the same time insert a cookie.

 

The cookie value will contain the server-id to which the connection was load-balanced. Next time when the same client connects, it will present the cookie. Using the cookie value, we will know which real-server to choose and send the connection to it.

 

ATTENTION: This requires SSL offload - ensure you are using at least ADX OS >= 12.1.

 

Specifics

 

We will use Layer-7 switching using csw to achieve this. There are three important points to note:

 

  • Connections from new clients will not have the cookie. Thus, the ServerIron will not know how to switch those. To handle such clients, the ServerIron will send them to a pre-defined group. We need group-id to be assigned to each real-server.
  • However, once a server is selected, its ServerID will be used as the cookie value. We need server-id,to be used in the cookie value, assigned to each real-server.
  • For new connections, ServerIron will set a cookie. But we need to define this cookie name so that a set-cookie: CookieName=value can be sent by the ServerIron to the client. We need to define cookie-name under vip.

 

Topology Diagram

 

not needed

 

Sample Code/Configuration

 

ssl profile verisign128
    keypair-file verisign128key
    certificate-file verisign128cert
    cipher-suite all-cipher-suites
    enable-certificate-chaining
    session-cache off


csw-rule "r1" header "cookie" search "ServerID="
!
csw-policy "p1"
    match "r1" persist offset 0 length 4 group-or-server-id
    default forward 1
    default rewrite insert-cookie
"ServerID"
!
server real rs18 10.45.4.18
    port http
    port http url "HEAD /"
    port http server-id 1218
    port http group-id 1 1
!
server real rs11 10.45.4.11
    port http
    port http url "HEAD /"
    port http server-id 1211
    port http group-id 1 1
!
server virtual vip1 10.45.4.245
  port ssl ssl-terminate verisign128
  port ssl csw-policy "p1"
  port ssl csw
  bind ssl rs18 http rs11 http


 



 

ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.

 

Tips and Caveats

 

Optionally, You can also use the follow commands under virtual server to change the age, domain or path of the cookie being inserted.

 

  • port http cookie-age
  • port http cookie-domain
  • port http cookie-path

 

Further Reading

 

You can also insert different cookies depending on the csw-rule being hit.  A sample config is : L7CSWMultipleCookies

Furher info on SSL offload/acceleration: SSL offload and acceleration concepts and examples

Contributors