Forum Discussion
Fallback URL for SSL pass through
I'd like to have a fallback url to send traffic to if I do not have any pool members available for my "pass through" SSL VIP. I was thinking that this might work, but I was wrong:
when CLIEN...
hoolio
Cirrostratus
CirrostratusIf you're able to import the SSL cert and key to the BIG-IP, you could use a rule to check whether there are any members available in the pool. If there are members available, the requests would be passed through the BIG-IP without trying to decrypt the HTTPS. If no members are available, you could use the cert/key to decrypt the traffic and send an HTTP redirect. The VIP configuration would need a client SSL profile and an HTTP profile.
The rule would look something like this:
when CLIENT_ACCEPTED {
log local0. "[IP::client_addr]:[TCP::client_port]: Received connection with active members: [active_members [LB::server pool]]"
Check if there are members available in the VIP's default pool
if {[active_members [LB::server pool]]}{
Disable the client SSL profile so the HTTPS traffic is passed through encrypted to the node
SSL::disable
Disable the HTTP profile as we're not going to redirect this request
HTTP::disable
log local0. "[IP::client_addr]:[TCP::client_port]: Members available"
}
}
when HTTP_REQUEST {
The HTTP_REQUEST event is only triggered if the pool members are down and the client SSL and HTTP profiles are left enabled
Redirect the client
HTTP::redirect https://maintenance.example.com
log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting request"
}Note that this rule won't redirect the client if the pool is up when the connection is established and then it goes down. I tried addressing this by adding some logic to the LB_FAILED event to enable the client SSL and HTTP profiles and send a redirect. This resulted in a TMM restart. I'm guessing none of these commands are allowed in the LB_FAILED event.
Also, once you're done testing, comment out the log statements.
Aaron
