01-18-2008 06:30 AM
Hello to all
We have the following problem. We use ssl-termination on the ace. This should work as follows : Plain http-requests should go directly to the server (Port80) and https-requests should terminate on the ace and decryptet to the server with a "pseudo-https" (Port 8443/http) request.
After first http-request, the server sends a redirect to : "https://URL" for the Login procedure (this should be encryptet). After login, the server switch back to http.
Our problem now is the stickyness. This two connections should be sticky together, because only the server, where the client logged-in (https) knows about the user.
We have a config, which works, but not with "ONE" stickyness. Is there a solution to match these two connection together ?
You can see in the output of the sticky db, that the http-Part now matches on Server3 and the https-Part on Server1 (which should be the same).
Thanks for help
Gery
Config-Parts :
--------------
crypto chaingroup VERISIGN-CHAIN
cert chain-verisign
probe http HTTP-80-30
interval 30
faildetect 2
passdetect interval 30
passdetect count 2
expect status 200 200
expect status 302 302
probe http HTTP-8443-30
port 8443
interval 30
faildetect 2
passdetect interval 30
passdetect count 2
expect status 200 200
expect status 302 302
parameter-map type connection MYDOOR-CONN-PARAMS
parameter-map type ssl SSL-WEB
cipher RSA_WITH_RC4_128_MD5 priority 2
cipher RSA_EXPORT_WITH_RC4_40_MD5
rserver host fdintegra-rip1
ip address 10.10.20.1
inservice
rserver host fdintegra-rip2
ip address 10.10.20.2
inservice
rserver host fdintegra-rip3
ip address 10.10.20.3
inservice
ssl-proxy service myhost.mydomain.com
key keyfile.pem
cert certfile.pem
chaingroup VERISIGN-CHAIN
ssl advanced-options SSL-WEB
serverfarm host MYDOOR-Integration
probe HTTP-80-30
probe HTTP-8443-30
rserver fdintegra-rip1 80
inservice
rserver fdintegra-rip2 80
inservice
rserver fdintegra-rip3 80
inservice
serverfarm host MYDOOR-Integration-8443
probe HTTP-80-30
probe HTTP-8443-30
rserver fdintegra-rip1 8443
inservice
rserver fdintegra-rip2 8443
inservice
rserver fdintegra-rip3 8443
inservice
sticky ip-netmask 255.255.255.240 address source MY-INTEGRATION
timeout 600
replicate sticky
sticky-serverfarm MYDOOR-Integration
sticky ip-netmask 255.255.255.240 address source MY-INTEGRATION-SSL
timeout 600
replicate sticky
sticky-serverfarm MYDOOR-Integration-8443
class-map match-all L4-MY-INTEGRATION-FIP-TESTVIP
2 match virtual-address 10.10.10.10 tcp eq www
class-map match-all SSL-L4-MY-INTEGRATION-FIP-TESTVIP
2 match virtual-address 10.10.10.10 tcp eq https
policy-map type loadbalance first-match MY-INTEGRATION
class class-default
serverfarm MYDOOR-Integration
policy-map type loadbalance first-match MY-INTEGRATION-SSL
class class-default
serverfarm MYDOOR-Integration-8443
policy-map multi-match LB-Traffic
class SSL-L4-MY-INTEGRATION-FIP-TESTVIP
loadbalance vip inservice
loadbalance policy MY-INTEGRATION-SSL
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server myhost.mydomain.com
connection advanced-options MYDOOR-CONN-PARAMS
class L4-MY-INTEGRATION-FIP-TESTVIP
loadbalance vip inservice
loadbalance policy MY-INTEGRATION
loadbalance vip icmp-reply active
loadbalance vip advertise active
connection advanced-options MYDOOR-CONN-PARAMS
01-23-2008 03:47 AM
Hello to all
I did not became any response on my ACE-Problem. Maybe because my english skills,
I could not explain exactly what's the problem. So here some more informations
about it. I hope, somebody can help me.
Communication Client/ACE/Server
-------------------------------
CLIENT LOADBALANCER SERVER
----http/80-----> ----http/80----> Client sends HTTP Request to Server
( SYN SYN/ACK ACK )
<----Redirect to https for Login ---- Server sends a Redirect to https://URL
for Login procedure
---https/443----> ----http/8443--> Client log in Server
<----Redirect back to http ---------- If successful, Server sends redirect
to http
----http/80-----> ----http/80----> Client works with http
At the Servers there are 2 Listeners working. One on port 80 ( for http ) and one
on port 8443 ( for ACE-decripted https [ -> also http on server ] )
The Server needs this separation ( two http listeners on separate ports ) because
it has to know, if the request was actualy a http or a https request.
My problem now is to find a working ACE-Configuration, which is sticky on both
sessions ( 80->80 and 443->8443 ) to same server.
This works on CSS with following config (on this I have to find a equivalent
config for that), but not on ACE .
ssl associate rsakey myhost.mydomain.com keyfile-pem
ssl associate cert myhost.mydomain.com certfile.pem
ssl-proxy-list lbcss-pl-ssl
ssl-server 1
ssl-server 1 vip address 10.10.10.10
ssl-server 1 rsakey myhost.mydomain.com
ssl-server 1 rsacert myhost.mydomain.com
ssl-server 1 cipher rsa-with-rc4-128-md5 10.10.10.10 8443
ssl-server 1 cipher rsa-export-with-rc4-40-md5 10.10.10.10 8443
active
service fdintegra-rip1
ip address 10.10.20.1
keepalive frequency 30
keepalive retryperiod 10
keepalive maxfailure 6
keepalive type script ap-my-http-httph-icon "10.10.20.1"
keepalive tcp-close fin
active
service fdintegra-rip2
ip address 10.10.20.2
keepalive frequency 30
keepalive retryperiod 10
keepalive maxfailure 6
keepalive type script ap-my-http-httph-icon "10.10.20.2"
keepalive tcp-close fin
active
service fdintegra-rip3
ip address 10.10.20.3
keepalive frequency 30
keepalive retryperiod 10
keepalive maxfailure 6
keepalive type script ap-my-http-httph-icon "10.10.20.3"
keepalive tcp-close fin
active
content fdintegra-ssl@real
vip address 10.10.10.10
protocol tcp
port 443
add service ssl-module-1
active
content fdintegra@real
vip address 10.10.10.10
add service fdintegra-rip1
add service fdintegra-rip2
add service fdintegra-rip3
protocol tcp
advanced-balance sticky-srcip
flow-reset-reject
flow-timeout-multiplier 6
sticky-inact-timeout 720
sticky-mask 255.255.255.240
balance leastconn
active
Can someone help me ?
Gery
01-23-2008 06:26 AM
Gery,
enable static cookie stickyness.
Check the 'sticky' command.
To use the static mode, configure 'cookie insert' under the cookie sticky configuration.
Then use this sticky serverfarm for both your ssl policy and http policy.
This should work.
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: