how to maintain the cookie persistence in F5 BIGIP proxied via cloudflare

Ajit Kumar
24 Jan, 2024

Description:

Many organizations leverage Cloudflare as a robust proxy solution to enhance security and performance, directing client requests efficiently to an  on-prem F5 bigip load balancer. However, this setup often introduces challenges with cookie persistence/session affinity , crucial for maintaining consistent client sessions across multiple servers. In this article, we delve into the intricacies of the problem and present a comprehensive solution

Cause for the F5 Session affinity issue

Cludflare Http Keep-alive

Cloudflare maintains keep-alive connections to improve performance and reduce cost of recurring TCP connects in the request transaction as Cloudflare proxies customer traffic from its edge network to the site’s origin, cloudflare reuses open TCP connections for up to 15 minutes (900 seconds) after the last HTTP request. Origin web servers close TCP connections if too many are open. HTTP Keep-Alive helps avoid premature reset of connections for requests proxied by Cloudflare.

F5 BIGIP session persistence behavior

By default, the BIG-IP system performs load balancing once for each TCP connection, rather than for each HTTP request within that connection. After the initial TCP connection is load balanced, all HTTP requests seen on the same connection are sent to the same pool member. 

F5 BIG-IP load balancers set a session cookie at the beginning of a TCP connection (if none exists) and then ignore all cookies from subsequent HTTP requests on the same TCP connection. This tends to break session affinity because Cloudflare sends multiple HTTP sessions on the same TCP connection.

Solution for F5 with cloudflare:

To overcome this session affinity issue with cloudflare and F5 BIGIP,  You can modify this behavior by forcing the server-side connection to detach after each HTTP request, which in turn allows a new load balancing decision according to changing persistence information in the HTTP request.

You can force the server-side detachment by either applying both an HTTP profile and a OneConnect profile to the virtual server, or by using an iRule to explicitly detach the server-side connection before each HTTP response request.

Oneconnect profile

Create a new oneconnect profile with Source Mask set to /32 ,the Source Mask setting specifies the mask applied to the source IP address to determine the connection's eligibility to reuse a server-side connection, as the cloudflare sends the traffic from its multiple proxy IP's .

By using OneConnect, the client is not fixed to a backend server by a TCP connection, rather it will load balance the HTTP requests individually so if in the same TCP session it sees different cookies with different persistence information, it will honour that. This also ensures the cookies are set with each HTTP response.

solution with irule

use the below irule instead of using the oneconnect profile

when HTTP_REQUEST {
    if {[HTTP::cookie names] contains "BIGipServer"}{
        catch {LB::detach}
    }
}

Conclusion:

In conclusion, by incorporating OneConnect profiles into your F5 load balancer configuration, you can overcome the challenges associated with cookie persistence when utilizing Cloudflare as a proxy. This solution not only resolves the immediate issues but also contributes to a more streamlined and performant web application environment.
No Comment
Add Comment
comment url