NimbostratusIrule working on current connection.
When my company rolls out new code on webservers we want the
ability to make sure everyone from the Internet is redirected to a maintenance
site.
During the maintenance period I
want to our QA staff from both of our offices to be able to reach the site for
testing.
when HTTP_REQUEST {
if {not ( [IP::addr
"[IP::client_addr]/8" equals "10.0.0.0/8"]or[IP::addr
"[IP::client_addr]/12" equals "172.16.0.0/12"]or[IP::addr
"[IP::client_addr]/16" equals "192.168.0.0/16"]or[IP::addr
"[IP::client_addr]/25" equals ".../25"]or[IP::addr
"[IP::client_addr]/28" equals ".../28"]or[IP::addr
"[IP::client_addr]/26" equals "..."] ) } {
HTTP::redirect "http://www.***.com/Maint_Pages/Maintenance.html"
}
}
The rule basically say’s that unless you are coming from an
internal IP address or a public IP address from my company, you are sent to a maintenance
page.
This used to work great until we started using services from
Akamai.
Akamai use connection sharing so
they create a connection to our LTM and use that connection to service multiple
requests. The net result is they may
keep an active connection to the LTM for a long time. When I use the Irule to put the VIP into maintenance
mode, anybody using Akamai does not see the Irule because Irules don’t work against
current connections. I need ALL
customers redirected.
I have played with idea of adding the following to the beginning
of the Irule.
when RULE_INIT { LB::detach
}
My concern after do some reading on the Internet is it
sounds like RULE_INIT can be a scary command if used wrong.
Also while I think this should work when I
add the Irule to the VIP, I figure it won’t drop connections when I remove the
iRule. (Get eveyone off of the maintence page)
Can the experts tell me if this will work and is it a good
idea?
Also, if there a better way to lock out the internet but let
internal users in, I am willing to look at any solution.
T
hanks
Ross
