From: Richard O'Halloran (rohallorIZZATnortelnetworks.com)
Date: Wed Aug 25 2004 - 06:50:30 EDT
Hi,
Forgive me if I cover something you already know, but you right in that the
bad old days of deploying proxies with manual configuration, administrators
tended to send all browser traffic to proxy servers and all traffic, both
SSL and HTTP would appear to come from a single source.
The reason that now your network address changes between protocols is
because when people deploy transparent caching via a layer 4-7 switch. These
switches only redirect cacheable traffic, (either at layer 4 or layer 7).
As SSL traffic is encrypted and impossible to cache, people tend not
redirect port 443 traffic to the caches, therefore these connections have
the source of user.
Therefore it's extremely common with both large and small ISPs that the
source IP address of the user will change as they switch from an HTTP to an
HTTPS connection to your application.
Regards,
Rich.
-----Original Message-----
From: Computer Guy [mailto:ethersecIZZATyahoo.com]
Sent: Wednesday, 25 August 2004 2:27 PM
To: lb-lIZZATvegan.net
Subject: Re: [load balancing] Megaproxy issue - Alteon
Pete,
Could you please elaborate on the network you're
discussing? Why would the network address change
between http and https connections except maybe for
clients coming from networks that load-balance
outbound client connections across proxy servers
connected to different ISPs?
Thanks.
-B
--- Pete Tenereillo <pt_lbIZZAThotmail.com> wrote:
> No, that mask does NOT "work best even for shopping
> cart persistence for the
> majority of the megaproxies". For example, it does
> not work for AOL, where
> SSL connections are sent directly from the client,
> and therefore have a
> totally different network address than the HTTP
> connections that go through
> the "megaproxy".
>
> If you don't believe that, set it up and test for
> yourself (I've been doing
> that test with AOL etc. periodically for the last 10
> years, but for
> egg-on-face avoidance, I just tested it again 5
> minutes ago!).
>
>
> Pete.
>
>
> ----- Original Message -----
> From: "Computer Guy" <ethersecIZZATyahoo.com>
> To: <lb-lIZZATvegan.net>
> Sent: Sunday, August 22, 2004 6:07 PM
> Subject: Re: [load balancing] Megaproxy issue -
> Alteon
>
>
> > You're absolutely right, nothing better than
> (session)
> > cookies. But that mask does work best even for
> > shopping cart persistence for the majority of the megaproxies ...
> > but yes, you're going to have to
> find
> > other alternatives for some of the networks you
> > mentioned.
> >
> > --- Pete Tenereillo <pt_lbIZZAThotmail.com> wrote:
> >
> >> But that doesn't work for "Shopping Cart"
> >> persistence, i.e. persistence for
> >> financial or ecommerce apps with both HTTP and
> >> HTTPS, because the HTTPS
> >> connections don't go through the "megaproxy" in
> most
> >> such networks (and
> >> therefore have SIPs from totally different
> >> networks). It also does not work
> >> (even HTTP-only) for the myriad of enterprise
> >> networks that load-balance
> >> outbound client connections across proxy servers
> >> which are connected to
> >> different ISPs, with totally different source IP
> >> networks (of course the
> >> mask 0.0.0.0 would work! ;-).
> >>
> >> The only ways to completely solve it - 0) change
> the
> >> app so persistence is
> >> not needed 1) cookies (with SSL termination), 2)
> >> explicit redirection.
> >>
> >>
> >> Pete.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Computer Guy" <ethersecIZZATyahoo.com>
> >> To: <lb-lIZZATvegan.net>
> >> Sent: Friday, August 20, 2004 10:51 AM
> >> Subject: RE: [load balancing] Megaproxy issue -
> >> Alteon
> >>
> >>
> >> > Sure:
> >> > From many conversations with Cisco, F5 and the
> >> Nortel,
> >> > the 255.255.240.0 subnet mask best accomodates
> for
> >> > megaproxies such as AOL for when you can't
> persist
> >> > using cookies and/or ssl session IDs.
> >> >
> >> > --- CihanSIZZATgaranti.com.tr wrote:
> >> >
> >> >>
> >> >>
> >> >> Why do you think that will work? Thanks
> >> >>
> >> >> -----Original Message-----
> >> >> From: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net] On
> >> >> Behalf Of Computer Guy
> >> >> Sent: Monday, August 16, 2004 7:59 PM
> >> >> To: lb-lIZZATvegan.net
> >> >> Subject: Re: [load balancing] Megaproxy issue
> -
> >> >> Alteon
> >> >>
> >> >> Try 255.255.240.0
> >> >>
> >> >> --- CihanSIZZATgaranti.com.tr wrote:
> >> >>
> >> >> >
> >> >> >
> >> >> > Hi,
> >> >> >
> >> >> > I am having problem with megaproxy sites
> >> accessing
> >> >> to my servers..Even
> >> >>
> >> >> > my pmask is set to 255.255.255.0 clients
> taht
> >> are
> >> >> changing the ip
> >> >> > address frequently and staying within the
> >> limits
> >> >> of PMASK value are
> >> >> > losing sessions because of the wrong
> realserver
> >> >> selection by AD3. I am
> >> >>
> >> >> > running 9.0.45 code for the moment...
> >> >> >
> >> >> > I habe 3 ISDs and AD3 redirects the 443
> traffic
> >> on
> >> >> them with HASH
> >> >> > (there is no other possibility for redirect
> >> >> filter) and from ISD to
> >> >> > realservers metric is PBIND...I am assuming
> >> this
> >> >> may also be the
> >> >> > problem area for megaproxy clients....Any
> >> >> suggestions to resolv such a
> >> >>
> >> >> > problem...
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >
> >>
> >
>
***********************************************************
> >> >> > Cihan SUBASI
> >> >> > Garanti Technology
> >> >> > Internet ve Yazilim Hizmetleri
> >> >> > Tel:(90)(212)4783426 GSM:(90)(533)(2750353)
> >> >> Fax:(90)(212)6576150
> >> >> > http://www.garantitechnology.com
> >> >> <http://www.garantitechnology.com/>
> >> >> > mailto:cihansIZZATgaranti.com.tr
> >> >> > Success is a wonderful thing, but never
> >> >> underestimate the value of
> >> >> > failure. Failure teaches many more things
> than
> >> >> success ever can.
> >> >> >
> >> >>
> >> >
> >>
> >
>
***********************************************************
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > This message and attachments are
> confidential
> >> and
> >> >> intended solely for
> >> >> > the individual(s) stated in this message.If
> you
> >> >> received this message
> >> >> > although you are not the addressee you are
> >> >> responsible to keep the
> >> >> > message confidential .The sender has no
> >> >> responsibility for the
> >> >> > accuracy or correctness of the information
> in
> >> the
> >> >> message and its
> >> >> > attachments.Our company shall have no
> liability
> >> >> for any changes or
> >> >> > late receiving,loss of integrity and
> >> >> confidentiality,viruses and any
> >> >> > damages caused in anyway to your computer
> >> system.
> >> >> >
> >> >> > Bu mesaj ve ekleri mesajda gonderildigi
> >> belirtilen
> >> >> kisi/kisilere
> >> >> > ozeldir ve gizlidir.Bu mesajin muhatabi
> >> olmamaniza
> >> >> ragmen tarafiniza
> >> >> > ulasmis olmasi halinde mesaj iceriginin
> >> gizliligi
> >> >> ve bu gizlilik
>
=== message truncated ===
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
This archive was generated by hypermail 2.1.4 : Wed Aug 25 2004 - 06:56:38 EDT