Forum Discussion
uni
Apr 12, 2012Altostratus
Thanks Hoolio. I decided to go with the cookie insert method. It means my rule remains independent of the application and avoids the session table updates. It also remains independent of the actual snatpool, unlike the hashing method.
This is the code I ended up with:
rule snat-cookie-persistence-rule {
timing on
when RULE_INIT {
set static::stgcookie "STGSESSION"
set static::aes_key "AES 128 0123456789abcdef0123456789abcdef"
}
when HTTP_REQUEST {
set cookieexists [HTTP::cookie exists $static::stgcookie]
if { $cookieexists } {
if {not ([catch {AES::decrypt $static::aes_key [b64decode [HTTP::cookie value $static::stgcookie]]} snatip])}{
log local0. "setting snat address $snatip"
snat $snatip
}
}
}
when HTTP_RESPONSE {
if { not $cookieexists } {
if { [serverside {IP::local_addr}] ne [clientside {IP::remote_addr}] } {
log local0. "inserting cookie value [serverside {IP::local_addr}]"
HTTP::cookie insert name $static::stgcookie value [b64encode [AES::encrypt $static::aes_key [serverside {IP::local_addr}]]]
}
}
}
}