02-01-2007 08:14 AM
Dear NetProf,
I?ve installed a css11501s some time ago, however the web company has just finished designing and testing the new site and hit a problem. The primary use of the css is for SSL proxy and load balancing across 2 servers.
Basically there is an issue with the authentication process on the web site and the load balancing. The authentication is tied to a server, and therefore as the css is doing the job, 50% of the time it works, obviously there are only two servers in this setup.
I am a little confused why it is balancing the traffic, as thought persistence was supposed to maintain a level of stickiness?
I believe that I may need to implement sticky cookies to resolve but just need some advice and info on how to do this. If there is a simpler way please also let me know.
Here is an extract of the config;
CSS11501# sh run
!Generated on 01/02/2007 02:02:16
!Active version: sg0810106
configure
!*************************** GLOBAL ***************************
date european-date
ssl associate rsakey rsakey rsakeyfile1
ssl associate cert SSLCERT SSLcertfile.pem
ftp-record ftpserv 192.168.1.12 admin des-password xxx
ip route 0.0.0.0 0.0.0.0 192.168.1.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 192.168.1.254 255.255.255.0
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list 1
ssl-server 20
ssl-server 20 vip address 192.168.1.253
ssl-server 20 cipher rsa-with-rc4-128-md5 192.168.1.253 8080 weight 5
ssl-server 20 rsakey rsakey
ssl-server 20 rsacert SSLCERT
active
!************************** SERVICE **************************
service server2
ip address 192.168.1.12
active
service server1
ip address 192.168.1.11
active
service ssl_serv1
type ssl-accel
slot 2
keepalive type none
add ssl-proxy-list 1
active
!*************************** OWNER ***************************
owner L5_Owner
content L3_Rule
add service server1
add service server2
vip address 192.168.1.253
balance srcip
active
content L5_Rule
add service server1
add service server2
vip address 192.168.1.253
protocol tcp
port 80
url "/*"
balance aca
active
owner ssl_Owner
content ssl_rule1
vip address 192.168.1.253
protocol tcp
port 443
application ssl
add service ssl_serv1
active
Many thanks in advance for assistance.
I always rate helpful posts.
Regards, Adrian
02-05-2007 06:53 AM
Adrian,
indeed you need stickyness as browsers actually use multple TCP connections when going to a server.
sticky cookie seems to be the best in the this case.
I see that your proxy list redirect the traffic to 192.168.1.253 8080.
You do not have a content rule with this port so traffic will hit the default rule L3_Rule.
I would suggest configure a rule like this
content decrypted
add service server1
add service server2
vip address 192.168.1.253
protocol tcp
port 8080
url "/*"
advanced-balance arrowpoint-cookie
active
Gilles.
02-05-2007 07:12 AM
Hi Gilles,
Many thanks for helping me out, I've been doing some investigation today as well ;-)
By configuring the above rule that matches specifically the secure traffic (http over port 8080 on server side & ssl 443 for clients connecting over the internet).
Should I also use the advanced-balance arrowpoint-cookie statement under the owner ssl_rule1 / content ssl_rule1 as even though this is encrypted between client and css it is not encrypted (port 8080 between css and server).
Should I still keep the original L3_Rule?
Should I also use this config for the L5_rule as well?
The reason I ask is that not sure where the web companies login fails (have meeting tomorrow) to see if it is before they enter the secure side of the site or not.
Also once I configure this do I need to go about setting up a web page to tell users how to enable cookies in their browsers if not switched on by default? (Think I do but little unsure as this is sometime referred as cookie INSERT ? is it the same).
After reading some of the notes on the earlier version of css code (pre 4.1) should it be best to set the expiration period on the cookies as well, read somewhere the client side would be one year unless set?
Thanks again, much appreciated assistance.
Best regards, Adrian.
02-05-2007 11:04 PM
Adrian,
the cookie should only be applied to http rule. Never for SSL.
You can get rid of the L3_rule if it has no use.
You can enble the cookie on the http rule if needed.
You should indeed inform the users that they need to enable cookies when browsing this website.
You can set expiration time if you want but this is not a requirement.
Gilles.
02-06-2007 01:45 AM
Hi Gilles,
Thanks again for your assistance, I will add the new rule and test. I will then remove the L3_rule later if no longer matching traffic. If it resolves all my problems I owe you a big thank you. I will mark the post as resolved if positive news.
Thanks again. Best regards, Adrian.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: