For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Martin_Vlasko's avatar
Martin_Vlasko
Icon for Altocumulus rankAltocumulus
Mar 25, 2015

Sorry Page for VS without HTTP profile

I need to implement Sorry Page solution on our LTM. The sorry page should be shown to the user if all node members of particular VS are down.

I have a VS listening on IP:443 and I am doing only a simple load balancing, there is no SSL, nor HTTP profile attached to the VS.

I cannot use following iRule, because my VS does not have any HTTP/SSL profile attached, so it does not decrypt the SSL data, hence cannot respond with HTTP::respond:

when HTTP_REQUEST {
    if { [active_members [LB::server pool]] == 0 } {
        HTTP::respond 200 content [ifile get iFile_name]
    }
}

Also I cannot use following iRule because I don't want to host the sorry page on backend server. 

when HTTP_REQUEST {
   if { [active_members [LB::server pool]] == 0 } {
         HTTP::redirect "http://www.google.com"
   }
}

The best would be to manage the sorry page directly from the F5, for example via the iFile.

What would be the ideal solution my this case?

application delivery
availability
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
security

4 Replies

  • cdougall_14195's avatar
    cdougall_14195
    Icon for Cirrus rankCirrus
    Mar 25, 2015

    You're pretty much stuck with using something unique unless you're willing to add the HTTP and SSL profiles.

    The easy solution would be to have a dedicated pool to service the sorry pages. You can't do redirects or mess with the unencrypted headers unless you apply those other profiles..

    when CLIENT_ACCEPTED {
  if { [active_members [LB::server pool]] == 0} {
    if { [TCP::local_port clientside] eq "443" } {
        pool sorry_https_pool
    } else {
        pool sorry_http_pool
    }
  }
}

    Probably worth noting that this since you're not terminating SSL, you would need to have one pool for HTTP and one for HTTPS.

    • cdougall_14195's avatar
      cdougall_14195
      Icon for Cirrus rankCirrus
      Mar 25, 2015
      correction to that rule. [TCP::local_port] rather than [TCP::local_port clientside].
    • Martin_Vlasko's avatar
      Martin_Vlasko
      Icon for Altocumulus rankAltocumulus
      Mar 26, 2015
      My virtual server listens only to port 443, so I assume I don't need to care about HTTP. But the suggestion below from THi looks promising, I will give it a try.
  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus
    Mar 25, 2015

    Just an idea: In some cases one can use another virtual server to produce the Sorry Page with proper iRule HTTP::respond, iFile etc syntax (and with http and client ssl profiles). Basically creating a Sorry Page server within the BIG-IP.

     

    Then instead of using pool command, use node command in the iRule (above) targeting to this new s.c. Layered Virtual when all pool members are down. In this fashion the Sorry Page layered virtual could be more generic and be used for multiple purposes. One can even parametrize it to create more dynamic sorry page for example by adding dynamic info in the headers.