Forum Discussion
The problem is our business require traffic to be end to end encrypted for that I am using performanceL4 and after that I am not able to host maintenence page on f5 using iFiles as if I use http profile with perfomanceL4 then it breaks the connection. Is there a way that can be used to host a maintenence page on f5 using iFile.
may this be usable?
// config
[root@ve13a:Active:In Sync] config tmsh list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
mask 255.255.255.255
pool foo
profiles {
fastL4 { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 13
}
[root@ve13a:Active:In Sync] config tmsh list ltm pool foo
ltm pool foo {
members {
200.200.200.101:443 {
address 200.200.200.101
session monitor-enabled
state down
}
}
monitor fake
}
[root@ve13a:Active:In Sync] config tmsh list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
if { [active_members [LB::server pool]] < 1 } {
virtual sorrypage
}
}
}
[root@ve13a:Active:In Sync] config tmsh list ltm virtual sorrypage
ltm virtual sorrypage {
destination 0.0.0.0:443
ip-protocol tcp
mask any
profiles {
clientssl {
context clientside
}
http { }
tcp { }
}
rules {
sorrypage_rule
}
source 0.0.0.0/0
translate-address disabled
translate-port enabled
vlans-enabled
vs-index 14
}
[root@ve13a:Active:In Sync] config tmsh list ltm rule sorrypage_rule
ltm rule sorrypage_rule {
when HTTP_REQUEST {
HTTP::respond 200 content "this is sorry page\n" noserver
}
}
// test
[root@centos1 ~] curl -ik https://172.28.24.10
HTTP/1.0 200 OK
Connection: Keep-Alive
Content-Length: 19
this is sorry page
- MacaronJan 04, 2018Nimbostratus
Thanks, I see you used when HTTP_REQUEST event in your iRule. The problem is if use this event, than I must have to use HTTP profile with VS which will intern not trigger maintenance page without doing ssl bridging.
The second option I can utilize is hosting maintenance page on an external server and route traffic to that server in case the VS goes down. Not sure if it is possible without SSL bridging.?
- nitassJan 04, 2018Employee
I see you used when HTTP_REQUEST event in your iRule. The problem is if use this event that I must have to use HTTP profile with VS which will intern not trigger maintenance page without doing ssl bridging.
there are 2 virtual servers, aren't there? the http profile is in the internal virtual server (i.e. not the external one which is facing users).
- MacaronJan 05, 2018Nimbostratus
Worked perfectly fine !!! Thank you
- MacaronJan 09, 2018Nimbostratus
Hi Nitass, while testing I noticed that after the pool member comes back online and I try to refresh the page the maintenance page stays there. I have to wait for about minute or two to navigate to actual server page after i refresh a page. Do you know how can i quickly navigate to page when the server comes back online and after i press refresh. ?
- nitassJan 09, 2018Employee
while testing I noticed that after the pool member comes back online and I try to refresh the page the maintenance page stays there.
did the refresh create a new tcp connection? if you run tcpdump, you should see new tcp 3-way handshake.
- MacaronJan 10, 2018Nimbostratus
refresh does not create a new tcp connection. Only saw ack and no syn packets and also when I hit refresh the traffic came with a VLAN 0, whereas after sometime I closed the browser and re-opened it and also used another browser VLAN 333 came up in tcpdump and page loaded successfully.