We a virtual server configured for both port HTTP and HTTPS, we need to setup an iRule for maintenance page if either VIP is down it will redirect to a maintenance page for both HTTP and HTTPS, we have setup iRule_maintenance for HTTP VIP and it is working, but for HTTPS it is not working. SSL certificate is installed in both F5 LTM and back end servers. There is no option inside iRule to enter https word in iRule creation. Please help us. Thanks in Advance.

hi, for https vip,did you configure client and server ssl with http profile? Thx Srini

If a Virtual Server is unavailable, client will receive TCP/RST. They are client-side listeners and you cannot serve any maintenance page content or even a basic HTTP redirect response if the network socket itself doesn't open. You must refer to status of a pool/pools/a pool member Please paste output of your full Virtual Server configs tmsh list ltm virtual vs-http-name tmsh list ltm virtual vs-https-name And your maintenance iRule currently in use Regards,

http condition in irule is for both http & https ... is the maintenance page use same SSL server cert ... what i think that maintenance page is http page that why its working perfectly in http traffic ,, can you please post irule that you are appling in https vip

Yes, for port 443 VIP, we have client SSL profile as well as ServerSSL profile.

iRule Maintenance Page for HTTPS VIP

8 Replies

Srini_87152
Cirrostratus
Jan 17, 2018
hi,

for https vip,did you configure client and server ssl with http profile?

Thx Srini
- Sujeet_Singh_34
  Nimbostratus
  Jan 18, 2018
  Yes, for port 443 VIP, we have client SSL profile as well as ServerSSL profile.
Hannes_Rapp_162
Nacreous
Jan 17, 2018
If a Virtual Server is unavailable, client will receive TCP/RST. They are client-side listeners and you cannot serve any maintenance page content or even a basic HTTP redirect response if the network socket itself doesn't open. You must refer to status of a pool/pools/a pool member

Please paste output of your full Virtual Server configs

tmsh list ltm virtual vs-http-name tmsh list ltm virtual vs-https-name

And your maintenance iRule currently in use

Regards,
- Sujeet_Singh_34
  Nimbostratus
  Jan 18, 2018
  ==>Please find the output of the command you requested, just for the info, we have not mapped iRule for port 443 VIP, as it was not working, but after adding iRule for port 80, and we tested it was redirecting when we disable pool members for port 80 VIP. And we also have installed SSL certificate for port 443 VIP, and enabled both BIG IP side as well as backend servers side, I mean Client SSL profile and Server SSL profile enabled.
  
  And finally thank you very much for your help
  
  ==>tmsh list ltm virtual abc_com_443 ltm virtual abc_com_443 { destination 10.35.20.7:https ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool abc_net_443 profiles { tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 119 }
  
  ==>tmsh list ltm virtual abc_com_80 ltm virtual abc_com_80 { destination 10.35.20.7:http ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool abc_net_80 profiles { http { } tcp { } } rules { myabc.com_80-maintenance } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 118 }
  
  ==> iRule
  
  myabc.com_80-maintenance
  
  when HTTP_REQUEST {
  
  If the myabc.com_80 is down, redirect to the maintenance page if { [active_members abc_net_80] < 1 } { HTTP::redirect "; return }
  
  }
  
  =>myabc.com_443-maintenance when HTTP_REQUEST {
  
  If the myabc.com_443 is down, redirect to the maintenance page if { [active_members abc_net_443] < 1 } { HTTP::redirect "; return }
  
  }
Hannes_Rapp
Nimbostratus
Jan 17, 2018
If a Virtual Server is unavailable, client will receive TCP/RST. They are client-side listeners and you cannot serve any maintenance page content or even a basic HTTP redirect response if the network socket itself doesn't open. You must refer to status of a pool/pools/a pool member

Please paste output of your full Virtual Server configs

tmsh list ltm virtual vs-http-name tmsh list ltm virtual vs-https-name

And your maintenance iRule currently in use

Regards,
- Sujeet_Singh_34
  Nimbostratus
  Jan 18, 2018
  ==>Please find the output of the command you requested, just for the info, we have not mapped iRule for port 443 VIP, as it was not working, but after adding iRule for port 80, and we tested it was redirecting when we disable pool members for port 80 VIP. And we also have installed SSL certificate for port 443 VIP, and enabled both BIG IP side as well as backend servers side, I mean Client SSL profile and Server SSL profile enabled.
  
  And finally thank you very much for your help
  
  ==>tmsh list ltm virtual abc_com_443 ltm virtual abc_com_443 { destination 10.35.20.7:https ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool abc_net_443 profiles { tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 119 }
  
  ==>tmsh list ltm virtual abc_com_80 ltm virtual abc_com_80 { destination 10.35.20.7:http ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } pool abc_net_80 profiles { http { } tcp { } } rules { myabc.com_80-maintenance } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 118 }
  
  ==> iRule
  
  myabc.com_80-maintenance
  
  when HTTP_REQUEST {
  
  If the myabc.com_80 is down, redirect to the maintenance page if { [active_members abc_net_80] < 1 } { HTTP::redirect "; return }
  
  }
  
  =>myabc.com_443-maintenance when HTTP_REQUEST {
  
  If the myabc.com_443 is down, redirect to the maintenance page if { [active_members abc_net_443] < 1 } { HTTP::redirect "; return }
  
  }
AhmedGalal219_3
Nimbostratus
Jan 17, 2018
http condition in irule is for both http & https ... is the maintenance page use same SSL server cert ... what i think that maintenance page is http page that why its working perfectly in http traffic ,, can you please post irule that you are appling in https vip

Kevin_Davies

MVP

Jan 18, 2018

The configuration clearly shows you have no SSL profile attached to the 443 virtual server. If the traffic cannot be decrypted then the F5 cannot send the redirect. You will also need a HTTP profile as the HTTP_REQUEST event will not trigger without it.

==>tmsh list ltm virtual abc_com_443
ltm virtual abc_com_443 {
    destination 10.35.20.7:https
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        source_addr {
            default yes
        }
    }
    pool  abc_net_443
    profiles { <<<--- no http and ssl profiles
        tcp { } 
    }
        source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 119
}

If you look in the GUI you will see they are not configured.

Forum Discussion

iRule Maintenance Page for HTTPS VIP

8 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

iRule HTML Maintenance Page insert URI Value

iRules Recipe 4: Static Maintenance Page

iRule to take cookie from HTTP Response into HTTP Request via table

iRule Maintenance Windows

One iRule to rule them all... Maintenance page code