For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rdessert_76127's avatar
rdessert_76127
Icon for Nimbostratus rankNimbostratus
May 22, 2012

Creating a process for changing irule applied to a virtual server

Hi All,

 

 

Here's my situation...

 

 

I'm in the process of eliminating several IIS proxies by rolling the proxy function to LTM. In IIS this application used 2 different mod_rewrite scripts, one during normal operation and a different one during maintenance mode to redirect client connections to different servers / pages etc.

 

 

As part of the migration I have created 2 different irules to perform the same function the mod_rewrite scripts were doing when IIS was in use. Everything works great.

 

 

The situation I am trying to overcome is that the owners of this site used to have an automated process to switch between the IIS mod-rewrite scripts (using MOVEit) when they wanted to change from prod to maintenance mode. I would like to come up with a way to automate the change between the prod irule and the maintenance irule. I'm trying to avoid giving application owners accounts on the LTM's and training them how to change the irules applied to virtual servers. I'm also trying to avoid them having to call the F5 admin team to make the change for them.

 

 

I'm curious if any of you have been faced with a similar situation and / or have any input on how I could automate this via a script of some sort etc.

 

 

I appreciate all input!

 

 

Thanks,

 

 

Rich

 

application delivery
dev
devops
iRules

3 Replies

  • GavinW_29074's avatar
    GavinW_29074
    Icon for Nimbostratus rankNimbostratus
    May 23, 2012
    Rich

     

     

    I've done something very similar for our services to cover maintenance mode functionality.

     

     

    I came up with the following iRule, which allows an authorized user to hit a defined URI and enable/disable a maintenance window.

     

    https://devcentral.f5.com/wiki/irules.LTM-Dynamic-Maintenance-using-Session-Table.ashx

     

     

    The above iRule is light on security, however I've updated our local copy to include both a Client IP filter and a HTTP Basic Authentication check...

     

    Therefore if you've got multiple customers you could tweak the rule by having a different set of datagroups for each VS...

     

     

    Let me know if you want a copy of the iRule including the above security features.

     

     

    Regards

     

    Gavin
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    May 23, 2012
    Hi RDessert,

     

     

    You may also want to look at creating a Custom Health Check that would do what you are trying to accomplish as well.

     

     

    Example:

     

    You create a monitor for an Windows Service that you don't normally use (like TCP Print Services on Windows which runs on Port 515). Apply the monitor to the server pool and allow your Application Support Teams to control which servers are available in the pool by Enabling/Starting and Disabling/Stopping the Windows Service directly on the servers.

     

     

    This would require that they have access to start and stop Windows Services, but it is a simpler solution (less administrative overhead) than an iRule solution which would require on going collaboration with the Application Teams.

     

     

    Just another option.

     

     

    Hope this helps.