WebMux SSL Session ID Persistence

AVANU’s WebMux SSL Session ID Persistence gives you another option to maintain HTTPS server persistence on the WebMux in deployments where differentiating source clients by IP address or application level information (such as the x-forwarded-for MIME header data) is impossible due to the use of reverse proxies and SSL passthrough (where SSL termination is handled between the real servers behind the WebMux and the clients). In this situation, the reverse proxy might effectively make all the incoming clients appear to only come from a single IP address on the reverse proxy itself. There is also the added limitation of not being able to see the original IP address of the client because the X-forwarded-for MIME header information will be encrypted. Only the real server will be able to decrypt that data. Since, there is not other data that the WebMux will be able to see to differentiate the incoming clients, a persistent scheduling method will send all connections to a single server in the Farm.

In such a scenario, the SSL Session ID Persistence is an option you can enable for the HTTPS service that will be using any of the persistent type scheduling methods. This setting allows the WebMux to use the SSL Session ID as the identifier to differentiate the incoming clients, even if they are coming from the same IP address, in order to be able to distribute initial connections to the different real servers and then maintain client server persistence for subsequent connections from the same client.

In order for this feature to work, you must make sure your Apache server is configured to have the mod_socache_shmcb module loaded and the appropriate SSLSessionCache and SSLSessionCacheTimeout setting for the HTTPS server configuration. Also, it is mandatory to have “SSLSessionTickets Off” in order for Apache to issue SSL Session IDs. Please refer to your IIS or Nginx documentation for equivalent settings. This was tested in AVANU’s lab using Apache server.