-------- Original Message -------- Subject: Re: Client IP changes on SSL- tricks load balancer From: Maureen Barger <m...@cornell.edu>
> Your loadbalancer hosts your service name, www.bradsapp.com and it > routes traffic to www1.bradsapp.com www2.bradsapp.com and > www3.bradsapp.com. Pretty much yes, except we do not have separate DNS entries for each server right now (www1, www2 etc) > The LB is configured to use sticky sessions so the > client will stay with the backend it first is routed to. Yes. > Your loadbalancer is not configured to use SSL acceleration so any SSL > request is routed to a backend webserver which has the SSL > configuration. >From my understanding, yes but I'm not positive. > (FWIW LB do not read cookies. They manage stickiness > internally and route accordingly. Communication between server and > browser ideally has nothing to do with this.) This has not been my understanding. I have understood that LB's DO manage sessions internally, but they _can_ inspect the cookies in the requests to do so. It has also been my understanding that LB's can add their own cookies into the requests for this purpose. http://www.ssl-technology.com/ssl_persistence.htm > Your backends are each single server installs of CF with apache or IIS > in front of them. They manage sessions, set cookies and retain the SSL > conf. Yes. IIS to be exact. > When clients go to http://www.bradsapp.com, their IP is one value. > However when they make the switch to SSL, their IP address changes. Correct. > This is evidenced in your logs. Yes. I log each page request made to my server, the IP address, and most of the CGI scope. > Can you do an nslookup to compare origins? I have done whois lookups at www.netsol.com to confirm their origins and they have always belonged to the same company or organization. In once instance, both ips belonged to a military network. In today's instance, btoh IP addresses belonged to Verizon Wireless's network. (A Verizon Wireless employee was the person experiencing the problem today) > Could the IP shown when SSL requests are made be that of the LB? No. > Can you replicate this behavior from your machines/subnets Doubtful. I'm not sure how to do it firstly, and secondly, my office building only has one external gateway (IP) for the traffic to originate. > or are your clients limited to one group who all access the app the same way? No, my clients can be anyone in the US or Canada. > What LB is being used here? Radware. That's all I know at this point. > Who manages its config? A hosting company who manages our racks in space purchased from a data center. > Can you get a copy of its config as it pertains to your app? I can try, but I'm new here and traditionally the LB's have been a hands-off thing for the CF guy. ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:319842 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
