Forum Discussion

Mark_J__Schelle's avatar
Mark_J__Schelle
Icon for Nimbostratus rankNimbostratus
Jan 22, 2014

iRule "Sorry server" pool change from SSL to non-SSL?

Hello DevCentral -

I am working with a team member on something that has turned into a rather unusual request. For our normal service, the client connects SSL, we break that connection, insert some cookies, and re-encrypt to the back-end pool members. So it's SSL (browser)=>LTM=>SSL (pool member). Now we'd like to server up some nicer content if no pool members are available. We have a new pool defined serving up the content, and I am using the following iRule:

when LB_FAILED {
  if { [active_members my-pool-443] == 0 } {
    pool sorry-pool-80
  }
}

This does not work as expected since we're doing the re-encryption. Is there any other option than running SSL on the sorry server?

Thanks!!!

6 Replies

  • You can specify a fallback host in the HTTP profile attached to your virtual server. It would be used in the case that no pool members were available.

     

  • The Fallback Host option would end up sending a redirect to the client's browser, would it not? We are trying to serve up the Sorry page without any redirect - just show it instead of the normal page.

     

    Thank you!!!

     

  • can we just disable ssl on serverside?

    e.g.

     config
    
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:443
        ip-protocol tcp
        mask 255.255.255.255
        pool foo443
        profiles {
            clientssl {
                context clientside
            }
            http { }
            serverssl {
                context serverside
            }
            tcp { }
        }
        rules {
            qux
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 6
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo443
    ltm pool foo443 {
        members {
            200.200.200.101:443 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool sorry80
    ltm pool sorry80 {
        members {
            200.200.200.111:80 {
                address 200.200.200.111
            }
        }
    }
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
        when HTTP_REQUEST {
      if { [active_members [LB::server pool]] <= 0 } {
        SSL::disable serverside
        pool sorry80
      }
    }
    }
    
     pool443 is up
    
    [root@ve11a:Active:In Sync] ~  curl -k https://172.28.24.10
    This is 101 host.
    
     pool443 is down
    
    [root@ve11a:Active:In Sync] ~  tail -f /var/log/ltm
    Jan 22 23:40:14 ve11a notice mcpd[6957]: 01070638:5: Pool /Common/foo443 member /Common/200.200.200.101:443 monitor status down. [ /Common/fake: down ]  [ was unchecked for 0hr:7mins:54sec ]
    Jan 22 23:40:14 ve11a err tmm[14419]: 01010028:3: No members available for pool /Common/foo443
    Jan 22 23:40:14 ve11a err tmm1[14419]: 01010028:3: No members available for pool /Common/foo443
    
    [root@ve11a:Active:In Sync] ~  curl -k https://172.28.24.10
    This is 111 host.
    
  • That was exactly the right answer nitass - thank you!!!

     

    One twist on this - is it also possible to put up a "sorry-sorry" static HTML served right from the LTM in the case of both failed regular pool and failed sorry pool?

     

  • is it also possible to put up a "sorry-sorry" static HTML served right from the LTM in the case of both failed regular pool and failed sorry pool?

     

    yes, it is definitely possible. :)

     

    v11.1–External File Access from iRules via iFiles by Jason Rahm

     

    https://devcentral.f5.com/articles/v111-ndashexternal-file-access-from-irules-via-ifiles.UuNMy7QRUdU

     

    offloading content with ifiles

     

    https://devcentral.f5.com/wiki/iRules.offloading-content-onto-the-BIG-IP-via-ifiles.ashx