Site Dwon Page form https virtual server

Question

I read several of the posts, but I could not find anything that would point me to the right direction. 
&nbsp; Here it is the question: 
&nbsp; setup 
&nbsp; We have two VS (http and https), F5 is only setup to pass traffic through, meaning, the SSL is terminated on the servers not on F5 boxes.   
&nbsp; question 
&nbsp; We would like to display some "Site Down" page when all the servers from the https pool were down for some reason? 
&nbsp; I see lots of these type of iRules, but only for http. 
&nbsp;  
&nbsp; any help is appreciated. 
&nbsp;  
&nbsp; RF 
&nbsp;

hoolio · Answer

Here is an example which allows LTM to send an HTTP redirect if all members of the pool are down.  It depends on the SSL cert and key being imported to LTM.  The traffic is only decrypted if the pool is down. 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPS_passthrough_fallback_URL.html 
&nbsp;  
&nbsp; Aaron

rico_110363 · Answer

I saw this post, but and I can import the cert and key, but the issue is that this VIP does not have client or server SLL profiles.  The servers are doing the SSL termination.  F5 is only balancing the traffic.   I'll re-read the post, I may have missed something. 
&nbsp; Thank you

hoolio · Answer

The idea is that you import the cert and key, create a client SSL profile and add the client SSL profile and an HTTP profile to the VIP.  The iRule checks if the pool is up.  If so, the client SSL and HTTP profiles are disabled.  The traffic is then passed through LTM encrypted.  If the pool doesn't have any available members, then the client SSL and HTTP profiles are enabled and LTM sends a redirect to the client. 
&nbsp;  
&nbsp; Aaron

brice · Answer

Hoolio, I think you are over thinking this.  He just wants to redirect to an "under construction" server pool if there aren't any servers in the default pool.  This doesn't need to know anything about the SSL.  The logic is just this:  If no members:443 up, then try this other pool:443. 
  
 The members of that other pool will need to have the certs, and be listening on 443 or you will break SSL, especially with current browsers.  This is completely untested, but in theory should work...

when CLIENT_ACCEPTED { 
 if {[active_members My_SSL_Pool] &gt; 0} { 
 pool My_SSL_Pool 
 } else { 
 pool Under_Construction_Pool 
   } 
 }

hoolio · Answer

Good point.  If you have multiple servers and some can host a sorry page, you could configure the "sorry server" to respond to any HTTP request with the sorry content.  The server would need to have the cert and key installed to avoid a browser warning.  You could configure the sorry server in the same pool as the normal servers, but at a lower priority.  This would not require using an iRule.  Or if the server would only answer for a specific object with the sorry page content, you could use the above rule and rewrite the URI to /sorry.html or whatever the sorry page name is. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Site Dwon Page form https virtual server

Recent Discussions

Big IP DNS Failover

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

Related Content

Handling HTTP Requests on an HTTPS Virtual Server

iControl REST Cookbook - Virtual Server (ltm virtual)

virtual server config

HTTP and HTTPS on a single virtual server

Check a Virtual Server's SSL Status

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS