Forum Discussion

Jgawrych_43121's avatar
Jgawrych_43121
Icon for Nimbostratus rankNimbostratus
Mar 18, 2008

Kill all active connections to a Vserver during maintenace....

  I'm working through a process for placing our site into maintenace mode for application upgrades etc. This process is going to be handed of to 1st level NOC people who are smart but novices to...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 30, 2008
I don't know if this can help, but I built a rule that allows specifically listed people to be able to enable or disable maintenance mode on a VIP. This rule is not dependent on node manipulation, but rather stores information in a global array:


when RULE_INIT {
  array set ::maintmode { }
}
when HTTP_REQUEST {
  if { ([ info exists ::maintmode([virtual]) ] and ( $::maintmode([virtual]) == 1 )) or ( [HTTP::uri] equals "/enmaintmode" ) or ( [HTTP::uri] equals "/dismaintmode" ) } {
   maintenance mode is set or attempting to set or unset
  
    switch [HTTP::uri] {
      "/enmaintmode" {
    if { [matchclass $::maintenance_mode_users equals [lindex [session lookup ssl [SSL::sessionid]] 1]] } {
      set ::maintmode([virtual]) 1
  HTTP::respond 200 content "Maintenance Mode Settings"
} else {
   send content and die
  HTTP::respond 200 content $::error_html Connection Close
  event HTTP_REQUEST disable
  SSL::session invalidate
}
  }
  "/dismaintmode" {
    if { [matchclass $::maintenance_mode_users equals [lindex [session lookup ssl [SSL::sessionid]] 1]] } {
  set ::maintmode([virtual]) 0
  HTTP::respond 200 content "Maintenance Mode Settings"
} else {
   send content and die
  HTTP::respond 200 content $::error_html Connection Close
  event HTTP_REQUEST disable
  SSL::session invalidate
}
  }
  default {
     send content and die
    HTTP::respond 200 content $::maintmode_html Connection Close
    event HTTP_REQUEST disable
SSL::session invalidate
  }
    }
  }
}

The basic premise is this: The site requires a global array and a data class "maintenance_mode_users" (a single string table) that lists the users that can make this work. We use smart cards, so on initial connect, I store some information from the user's certificate in an ssl session array. This could also be done with IP addresses or other unique values, I suppose, but I'd be careful to choose something that can't be spoofed. When the user goes to the site and enters "/enmaintmode" as the URI, the rule first checks to see if the user is listed in the data class. If they are, the name of the virtual server is added to the global array with the value of 1 (ex. "TEST_VS" 1). Next time through the request process, regardless of the URI, the maintmode flag for the virtual server is set and a static maintenance page is displayed. If "/dismaintmode" is entered and the user is valid in the data class, maintmode for the virtual server is set to 0 and the maintenance page is disabled. Resetting the iRule in the GUI or a "B LOAD" at the command line will also reset, or rather destroy the global array entries. By the way, there are also two other global variables, $::error_html and $::maintmode_html. These are the actually HTML pages displayed to the user. $::error_html is displayed if a non-authorized user tries to use the maintenance URIs. $::maintmode_html is the maintenance page users would see if maintenance was enabled for the virtual server. They don't have to be global variables, of course. I just did it that way for readability.

HTH

Kevin