[pfSense Support] Crazy Session State requirement
Knee deep in a deployment of a load balanced web application, I've run into a bizarre requirement. I have a HA PFSense cluster with 5 SSL load balanced virtual hosts, listening on IPs x.x.x.10-x.x.x.14. These map back to 3 backend web servers serving xxx1.com-xxx5.com. I've used this design many times, and never had a problem. However, this application has some crazy cookie stuff built in. Basically, a client may connect to xxx1.com, log in, browse some content, and then browse to xxx2.com. Since these are separate load balanced virtual servers, the PF state tracking mechanism doesn't force the client to go to the same backend server, which means that the session information is inconsistent and the application breaks. So, what I suppose I really need is a way of forcing the connection states to be per-source IP, rather than per source/dest. Is this possible? If not, other workaround suggestions would be lovely! Thanks guys, Nathan
Re: [pfSense Support] Crazy Session State requirement
On Fri, Sep 18, 2009 at 7:24 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Knee deep in a deployment of a load balanced web application, I’ve run into a bizarre requirement. I have a HA PFSense cluster with 5 SSL load balanced virtual hosts, listening on IPs x.x.x.10-x.x.x.14. These map back to 3 backend web servers serving xxx1.com-xxx5.com. I’ve used this design many times, and never had a problem. However, this application has some crazy cookie stuff built in. Basically, a client may connect to xxx1.com, log in, browse some content, and then browse to xxx2.com. Since these are separate load balanced virtual servers, the PF state tracking mechanism doesn’t force the client to go to the same backend server, which means that the session information is inconsistent and the application breaks. So, what I suppose I really need is a way of forcing the connection states to be per-source IP, rather than per source/dest. Is this possible? If not, other workaround suggestions would be lovely! Activate sticky option on 1.2.3-RC* installations. -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Crazy Session State requirement
On Fri, Sep 18, 2009 at 1:26 PM, Ermal Luçi ermal.l...@gmail.com wrote: Activate sticky option on 1.2.3-RC* installations. http://snapshots.pfsense.org has the RC3 file. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Crazy Session State requirement
-Original Message- From: Ermal Luçi [mailto:ermal.l...@gmail.com] Sent: Friday, September 18, 2009 10:26 AM To: support@pfsense.com Subject: Re: [pfSense Support] Crazy Session State requirement Activate sticky option on 1.2.3-RC* installations. -- Ermal To confirm - the sticky behavior in 1.2.3-RC3 is different than in 1.2.2? Is there any documentation on this change that I can take a look at? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Crazy Session State requirement
On Fri, Sep 18, 2009 at 11:00 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: -Original Message- From: Ermal Luçi [mailto:ermal.l...@gmail.com] Sent: Friday, September 18, 2009 10:26 AM To: support@pfsense.com Subject: Re: [pfSense Support] Crazy Session State requirement Activate sticky option on 1.2.3-RC* installations. -- Ermal To confirm - the sticky behavior in 1.2.3-RC3 is different than in 1.2.2? Well now it works! Before it had issues. Is there any documentation on this change that I can take a look at? Actually it is a kernel patch that has been integrated into FreeBSD and fixes pf(4) behaviour of stcikies. There is not much documentation about that other than trying to work as advertised in documentation. For your curiosity http://svn.freebsd.org/viewvc/base/head/sys/contrib/pf/net/pf.c?view=log Revision 196372 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- Ermal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
