cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
527
Views
5
Helpful
3
Replies

HTTP & SSL Stickiness

andyhsu
Level 1
Level 1

The website we're load-balancing with our CSS 11150 is an e-commerce site that will redirect the user to a SSL page which resides on the same server upon checkout. I was attempting to follow the tutorial given by this link (http://www.cisco.com/warp/public/117/converting_ssl_http.html ), but didn't quite understand the example given. More specifically, the page says:

"During the client's session, the transition is made to SSL port 443. This causes a new content rule to be hit and the client is load-balanced to another server. To prevent this from occurring, configure an HREF pointing the server back to itself:"

"<A HREF=https://ip_address/path> secure site </A>"

The PDF version of the document uses this URL:

"http://kbase.cisco.com/paws_data/16202/<A HREF="javascript:newWin('https://ip_address/path')>secure site</A>"

Besides the confusion that these conflicting results produce, I'm still not sure exactly what the URL is referencing.

An example of our setup is as follows:

(Public)

Arrowpoint IP: 123.123.123.215

Arrowpoint VIP: 123.123.123.220

(Private)

Arrowpoint IP: 10.0.0.1

WS-1: 10.0.0.2

WS-2: 10.0.0.3

Domain Name: http://www.our-domain.com

Based on this information, how would I construct the URL I would need to embed within our webpage in order to convert a HTTP session to SSL and stay stuck?

Thanks,

Andy

3 Replies 3

pknoops
Level 3
Level 3

Andy,

In general what you want to happen is when the port 80 session is on a server and the client goes over to 443, you want your server to push the client back to the same server on 443 through another private vip.

So if you have 2 physical servers being load balanced, you would need 2 addional content rules configured as port 443 with a separate vip from the one you originally hit when you went to the server on 80

I'm not a webserver guy, but how ever you configure an HREF, you want to configure it to send the request to a vip which will inturn send it back to the server on 443 this time.

ie:

content public_vip

vip address 123.123.123.220

protocol tcp

port 80

add service WS-1

add service WS-2

active

content WS-1

vip address 123.123.123.221 <-- new vip for HREF to server #1

protocol tcp

port 443

add service WS-1

active

content WS-2

vip address 123.123.123.222 <-- new vip for HREF to server #2

protocol tcp

port 443

add service WS-2

active

The HREF on WS-1 will point to vip 123.123.123.221

The HREF on WS-2 will point to vip 123.123.123.222

Hope this makes more sense

Pete Knoops

Cisco Systems

andyhsu
Level 1
Level 1

A new issue has popped up in regards to going between protocols. While referencing a new VIP specifying a specific server worked for sticking an old http session to a new ssl session, we're losing that stickiness when the user clicks on a link that takes them back to a http link. We're using advance balance sticky-srcip for the content rules, and I thought that this would keep the user on the same server once an http session is resumed since their entry in the sticky table should still exist.

If possible, I would like to avoid using another two IP addresses as VIPs for http-server specific content rules since this would create a scaling nightmare once we start adding new servers behind the content switch. Is there another way to resolve this? Thanks.

-A.Hsu

In regards to my last post, here's our current setup:

!*************************** GLOBAL ***************************

bridge spanning-tree disabled

restrict telnet

ip route 0.0.0.0 0.0.0.0 10.0.0.1 1

!************************* INTERFACE *************************

interface e2

bridge vlan 2

interface e3

bridge vlan 2

!************************** CIRCUIT **************************

circuit VLAN1

description "External"

ip address 10.0.0.33 255.255.255.0

circuit VLAN2

description "Internal"

ip address 172.20.0.1 255.255.255.0

!************************** SERVICE **************************

service ws-1

ip address 172.20.0.31

protocol tcp

active

service ws-2

ip address 172.20.0.32

protocol tcp

active

!*************************** OWNER ***************************

owner arrowpoint

content vip-arrowpoint

protocol tcp

port 80

vip address 10.0.0.30

add service ws-1

add service ws-2

advanced-balance sticky-srcip

active

content ws-1-ssl

protocol tcp

port 443

vip address 10.0.0.31

add service ws-1

advanced-balance sticky-srcip

active

content ws-2-ssl

protocol tcp

port 443

add service ws-2

vip address 10.0.0.32

advanced-balance sticky-srcip

active

!*************************** GROUP ***************************

group arrowpoint

add service ws-1

add service ws-2

vip address 10.0.0.30

active

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: