Forum Discussion
NimbostratusiRule "Sorry server" pool change from SSL to non-SSL?
Hello DevCentral -
I am working with a team member on something that has turned into a rather unusual request. For our normal service, the client connects SSL, we break that connection, insert some cookies, and re-encrypt to the back-end pool members. So it's SSL (browser)=>LTM=>SSL (pool member). Now we'd like to server up some nicer content if no pool members are available. We have a new pool defined serving up the content, and I am using the following iRule:
when LB_FAILED {
if { [active_members my-pool-443] == 0 } {
pool sorry-pool-80
}
}
This does not work as expected since we're doing the re-encryption. Is there any other option than running SSL on the sorry server?
Thanks!!!
6 Replies
Cory_50405Noctilucent
You can specify a fallback host in the HTTP profile attached to your virtual server. It would be used in the case that no pool members were available.
Mark_J__SchelleThe Fallback Host option would end up sending a redirect to the client's browser, would it not? We are trying to serve up the Sorry page without any redirect - just show it instead of the normal page.
Thank you!!!
- Cory_50405Yes, that sends back a HTTP 302.
- nitass
Employee
can we just disable ssl on serverside?
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 pool foo443 profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 6 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo443 ltm pool foo443 { members { 200.200.200.101:443 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool sorry80 ltm pool sorry80 { members { 200.200.200.111:80 { address 200.200.200.111 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [active_members [LB::server pool]] <= 0 } { SSL::disable serverside pool sorry80 } } } pool443 is up [root@ve11a:Active:In Sync] ~ curl -k https://172.28.24.10 This is 101 host. pool443 is down [root@ve11a:Active:In Sync] ~ tail -f /var/log/ltm Jan 22 23:40:14 ve11a notice mcpd[6957]: 01070638:5: Pool /Common/foo443 member /Common/200.200.200.101:443 monitor status down. [ /Common/fake: down ] [ was unchecked for 0hr:7mins:54sec ] Jan 22 23:40:14 ve11a err tmm[14419]: 01010028:3: No members available for pool /Common/foo443 Jan 22 23:40:14 ve11a err tmm1[14419]: 01010028:3: No members available for pool /Common/foo443 [root@ve11a:Active:In Sync] ~ curl -k https://172.28.24.10 This is 111 host. - Mark_J__Schelle
That was exactly the right answer nitass - thank you!!!
One twist on this - is it also possible to put up a "sorry-sorry" static HTML served right from the LTM in the case of both failed regular pool and failed sorry pool?
- nitass
is it also possible to put up a "sorry-sorry" static HTML served right from the LTM in the case of both failed regular pool and failed sorry pool?
yes, it is definitely possible. :)
v11.1–External File Access from iRules via iFiles by Jason Rahm
https://devcentral.f5.com/articles/v111-ndashexternal-file-access-from-irules-via-ifiles.UuNMy7QRUdUoffloading content with ifiles
https://devcentral.f5.com/wiki/iRules.offloading-content-onto-the-BIG-IP-via-ifiles.ashx
