RE: [load balancing] https pbind problem on Alteon 2208

From: Adrian Richardson <adrian.richardson [izzat] rmit.edu.au>
Date: Mon Feb 27 2006 - 18:25:57 EST

Thanks for the reply.

Yes - both http and https are in the same group with the metric set to
hash.
Changing client IPs is certainly a problem for us - this is why I don't
use clientip even for http.

Is there a need to use an SSL offloader if you keep the cookie value in
the URL and tell pbind to look for it there ? ie pbind cookie passive
myCookieName 1 16 enable

>>> degrassi@layer227.com 28/02/2006 4:01:09 am >>>
Are both HTTP and HTTPS services using the same group with the hash
metric? If so then persistence between the two services "should" be
maintained as long as the source IP doesn't change. And there's the
rub... I have been told that some ISPs will proxy HTTP and HTTPS thru
different proxies thus the source IP (clientIP) will change.

The same applies to Pbind clientIP with a free metric like round
robin.
With clientip command enabled, HTTP and HTTPs traffic from the same
client will map to the same server regardless of the load balancing
metric used, since the services are related. Whereas, different
services
from the same client may not map to the same server.

Pbind cookie will only work with HTTP. HTTPS is encrypted so the 2208
cannot see the cookie by itself. You will need to decrypt the session
with an SSL offloader then send the session to the VIP for load
balancing.

Maybe this is the problem.

-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of
Adrian Richardson
Sent: Sunday, February 26, 2006 10:48 PM
To: lb-l@vegan.net
Subject: [load balancing] https pbind problem on Alteon 2208

Hi

I'm having a problem with https session persistency with Alteon 2208
when people switch from HTTP to HTTPS in our web application. Our
clients use http until they need to complete a purchase - whereby the
application switches to secure mode. At that point, *some* sessions
break depending on if the session continues on the same real server or
not. In our application users MUST remain on the same real server
they
started when completing the secure transaction.

The metric is hash for the group.

For service HTTP, dbind is enabled and pbind is on cookie (passive).
This seems to work best for us and maintains persistency in most
cases.
 
'clientip' pbind is no good as many of our clients are behind mega
proxies.

I can't find a good pbind configuration for HTTPS.
* clientip: doesn't work - sessions can go to the wrong real server.

* sslid: doesn't work - this method is no good for IE any longer
because of the 2 min timeout and sessions can go to the wrong server
when the ssl connection is first made.

* cookie (passive): doesn't seem to work at all (I can't connect)

Anyone have any ideas as to how I can maintain persistency in the
switch from HTTP to HTTPS?

Thanks
Adrian

Adrian Richardson
Informit - RMIT Publishing

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
Received on Mon Feb 27 20:32:23 2006

This archive was generated by hypermail 2.1.8 : Mon Feb 27 2006 - 20:47:50 EST