Forum Discussion
Kevin_Stewart
Mar 30, 2008Employee
I don't know if this can help, but I built a rule that allows specifically listed people to be able to enable or disable maintenance mode on a VIP. This rule is not dependent on node manipulation, but rather stores information in a global array:
when RULE_INIT {
array set ::maintmode { }
}
when HTTP_REQUEST {
if { ([ info exists ::maintmode([virtual]) ] and ( $::maintmode([virtual]) == 1 )) or ( [HTTP::uri] equals "/enmaintmode" ) or ( [HTTP::uri] equals "/dismaintmode" ) } {
maintenance mode is set or attempting to set or unset
switch [HTTP::uri] {
"/enmaintmode" {
if { [matchclass $::maintenance_mode_users equals [lindex [session lookup ssl [SSL::sessionid]] 1]] } {
set ::maintmode([virtual]) 1
HTTP::respond 200 content "Maintenance Mode Settings"
} else {
send content and die
HTTP::respond 200 content $::error_html Connection Close
event HTTP_REQUEST disable
SSL::session invalidate
}
}
"/dismaintmode" {
if { [matchclass $::maintenance_mode_users equals [lindex [session lookup ssl [SSL::sessionid]] 1]] } {
set ::maintmode([virtual]) 0
HTTP::respond 200 content "Maintenance Mode Settings"
} else {
send content and die
HTTP::respond 200 content $::error_html Connection Close
event HTTP_REQUEST disable
SSL::session invalidate
}
}
default {
send content and die
HTTP::respond 200 content $::maintmode_html Connection Close
event HTTP_REQUEST disable
SSL::session invalidate
}
}
}
}
The basic premise is this: The site requires a global array and a data class "maintenance_mode_users" (a single string table) that lists the users that can make this work. We use smart cards, so on initial connect, I store some information from the user's certificate in an ssl session array. This could also be done with IP addresses or other unique values, I suppose, but I'd be careful to choose something that can't be spoofed. When the user goes to the site and enters "/enmaintmode" as the URI, the rule first checks to see if the user is listed in the data class. If they are, the name of the virtual server is added to the global array with the value of 1 (ex. "TEST_VS" 1). Next time through the request process, regardless of the URI, the maintmode flag for the virtual server is set and a static maintenance page is displayed. If "/dismaintmode" is entered and the user is valid in the data class, maintmode for the virtual server is set to 0 and the maintenance page is disabled. Resetting the iRule in the GUI or a "B LOAD" at the command line will also reset, or rather destroy the global array entries. By the way, there are also two other global variables, $::error_html and $::maintmode_html. These are the actually HTML pages displayed to the user. $::error_html is displayed if a non-authorized user tries to use the maintenance URIs. $::maintmode_html is the maintenance page users would see if maintenance was enabled for the virtual server. They don't have to be global variables, of course. I just did it that way for readability.
HTH
Kevin