Forum Discussion

Rico_110363's avatar
Rico_110363
Icon for Nimbostratus rankNimbostratus
Jul 17, 2008

Site Dwon Page form https virtual server

I read several of the posts, but I could not find anything that would point me to the right direction.

 

Here it is the question:

 

setup

 

We have two VS (http and https), F5 is only setup to pass traffic through, meaning, the SSL is terminated on the servers not on F5 boxes.

 

question

 

We would like to display some "Site Down" page when all the servers from the https pool were down for some reason?

 

I see lots of these type of iRules, but only for http.

 

 

any help is appreciated.

 

 

RF

 

5 Replies

  • Here is an example which allows LTM to send an HTTP redirect if all members of the pool are down. It depends on the SSL cert and key being imported to LTM. The traffic is only decrypted if the pool is down.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPS_passthrough_fallback_URL.html

     

     

    Aaron
  • I saw this post, but and I can import the cert and key, but the issue is that this VIP does not have client or server SLL profiles. The servers are doing the SSL termination. F5 is only balancing the traffic. I'll re-read the post, I may have missed something.

     

    Thank you
  • The idea is that you import the cert and key, create a client SSL profile and add the client SSL profile and an HTTP profile to the VIP. The iRule checks if the pool is up. If so, the client SSL and HTTP profiles are disabled. The traffic is then passed through LTM encrypted. If the pool doesn't have any available members, then the client SSL and HTTP profiles are enabled and LTM sends a redirect to the client.

     

     

    Aaron
  • brice's avatar
    brice
    Icon for Nimbostratus rankNimbostratus
    Hoolio, I think you are over thinking this. He just wants to redirect to an "under construction" server pool if there aren't any servers in the default pool. This doesn't need to know anything about the SSL. The logic is just this: If no members:443 up, then try this other pool:443.

    The members of that other pool will need to have the certs, and be listening on 443 or you will break SSL, especially with current browsers. This is completely untested, but in theory should work...

     
     when CLIENT_ACCEPTED { 
     if {[active_members My_SSL_Pool] > 0} { 
     pool My_SSL_Pool 
     } else { 
     pool Under_Construction_Pool 
       } 
     } 
     
  • Good point. If you have multiple servers and some can host a sorry page, you could configure the "sorry server" to respond to any HTTP request with the sorry content. The server would need to have the cert and key installed to avoid a browser warning. You could configure the sorry server in the same pool as the normal servers, but at a lower priority. This would not require using an iRule. Or if the server would only answer for a specific object with the sorry page content, you could use the above rule and rewrite the URI to /sorry.html or whatever the sorry page name is.

     

     

    Aaron