Forum Discussion
Dbow_21284
Nimbostratus
NimbostratusHTTPS VIP - Redirect to Maintenace Page
Hey everyone,
Fairly new to F5s, used to the GUI stuff (laught all you want)! Anyway, I have a site that is HTTPS only, and I need to redirect to a maintenance page if all the nodes in pool are down. I see its easy in a HTTP VIP via HTTP profile fallback parameter or via an iRule to look at the active_members in a pool and redirect to maintenance page if not available.
But for HTTPS, I cant find an iRule to do this. I assume https_request syntax does not exist.
Does anyone have a iRule that does this? Or if not an iRule how else can you do it? Do I have to offload the SSL cert to the LB?
Your help is appreciated.
Dave
PS: I looked for topic on this with no luck. Sorry if I duplicated. Thanks again in advance.
17 Replies
- JRahm
Admin
I think Hoolio posted a solution a while back that only offloads if all the pool members are down. Let me dig... 
Dbow_21284Wow that was darn quick reply! Thanks so much!- JRahmFound it: https://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=21920&view=topic Click here
- Dbow_21284I found this one:
when CLIENT_ACCEPTED { Set this flag to 1 to decrypt the SSL and send a redirect to the client. Set to 0 to pass the SSL through without decrypting it. set maintenance_redirect 1 log local0. "[IP::client_addr]:[TCP::client_port]: Received connection with maintenance flag set to $maintenance_redirect" Check if the maintenance flag is disabled (set to 0) if {$maintenance_redirect==0}{ Disable the client SSL profile so the HTTPS traffic is passed through encrypted to the node SSL::disable Disable the HTTP profile as we're not going to redirect this request HTTP::disable log local0. "[IP::client_addr]:[TCP::client_port]: Maintenance flag is disabled" } } when HTTP_REQUEST { The HTTP_REQUEST event is only triggered if the maintenance flag is enabled and the client SSL and HTTP profiles are left enabled Redirect the client HTTP::redirect https://maintenance.example.com log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting request" }
But I dont see in the code where it detects if all the pool members are available or not. 
hoolioCirrostratus
Thanks Citizen. The codeshare example (Click here) has a slight improvement over the original post in that the TCP connection is closed. This prevents the client from being redirected if they reuse a TCP connection after the pool member has come back up.
ddenbow, that example was for a different scenario, so it used a manual switch to enable/disable the decryption and redirection. The codeshare example should do what you're looking for.
Aaron- Dbow_21284Unbelieveable this got answered in less than an hour! Thanks so much guys I really apprecitea it!
- Dbow_21284Ok I see that you have to have SSL offloaded though, which I am not currently doing for the site in question (which is OWA BTW).
Is there a way to do this without offloading SSL to the LTM? - JRahmWell, the beauty is that it is not offloading unless the servers are all down. No way around offloading if you want to respond to the client.
- Dbow_21284So I have to have the certificate for the site on the VIP then?
- JRahmyes, and it will sit dormant until the scenario where all servers are down.
