For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Craig_17766's avatar
Craig_17766
Icon for Nimbostratus rankNimbostratus
Jul 10, 2013

Marking node for maintenance but accessible for testing

Hi all,

We have a website over 3 nodes on a virtual server with source persistency.

We use a monitor to check for a specific html file to pull the node out for maintenance.

The issue I have is that we want to pull a node out of the pool for maintenance but also have it accessible via the virtual server only from a specific IP address for testing purposes, when we’re happy we’ll rename the html back to have it included for general use.

My question is, even if a node is marked down, can I still select it?

I plan on using more logic, but maybe something like:

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::local_addr] equals 172.16.32.2] } {
     node 172.16.16.1 80
  } else {
     pool current_site_pool
 }
}

Any hints tips greatly appreciated.

Thanks.

application delivery
dev
devops
iRules

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 10, 2013
    The above iRule should work, but you'll always go to this server node if your IP address matches. You may want to consider two options:

     

     

    1. Only use the node command if the client IP matches and the designated IP address is currently marked down by the monitor.

     

    2. Only use the node command if the client IP matches and a data group entry exists (ex. maintmode := 1).
  • Craig_17766's avatar
    Craig_17766
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2013
    Great thanks.

     

     

    Looking at this from a different angle, can I do something like this? A mixture or URI rewriting and node selection?

     

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] starts_with "/node1" } {

     

    HTTP::uri "/"

     

    node 172.16.16.1 80

     

    }else {

     

    pool ...

     

    }

     

    }

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 10, 2013
    Not only that, but you could selectively (and dangerously) point to a specific node in the URI:

    URI = /?node-select=172.16.16.1.80 ** notice value equals IP.PORT (172.16.16.1 80)** 

    
when HTTP_REQUEST {
if { ( [IP::client_addr] equals "172.16.32.2" ) and ( [HTTP::uri] starts_with "/?node-select=" ) } {
catch {
scan [lindex [split [HTTP::uri] "="] 1] {%d.%d.%d.%d.%d} ip1 ip2 ip3 ip4 port
node $ip1.$ip2.$ip3.$ip4 $port
HTTP::uri "/"
}
}
}

  • Craig_17766's avatar
    Craig_17766
    Icon for Nimbostratus rankNimbostratus
    Jul 17, 2013
    Great, thanks - I have this working, but I have a few questions, if you dont mind.

     

     

    Is the existing persistency profile still used when using irules? - When hitting the VIP, I could get redirected then directed back again to this VIP and lose the ‘node-select=172.16.16.1.80’

     

    Should I set additional persistency within the irule for this?

     

    Another issue that I may have is that we use a proxy, all testing will appear to originate from one location but several users will want to directly hit one of 4 nodes independently.

     

     

    Thanks,

     

    Craig.