Maintenance page without doing SSL bridging and using HTTP profile

14 Replies

Employee

Jan 04, 2018

The problem is our business require traffic to be end to end encrypted for that I am using performanceL4 and after that I am not able to host maintenence page on f5 using iFiles as if I use http profile with perfomanceL4 then it breaks the connection. Is there a way that can be used to host a maintenence page on f5 using iFile.

may this be usable?

// config

[root@ve13a:Active:In Sync] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    mask 255.255.255.255
    pool foo
    profiles {
        fastL4 { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 13
}
[root@ve13a:Active:In Sync] config  tmsh list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
            session monitor-enabled
            state down
        }
    }
    monitor fake
}
[root@ve13a:Active:In Sync] config  tmsh list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
  if { [active_members [LB::server pool]] < 1 } {
    virtual sorrypage
  }
}
}

[root@ve13a:Active:In Sync] config  tmsh list ltm virtual sorrypage
ltm virtual sorrypage {
    destination 0.0.0.0:443
    ip-protocol tcp
    mask any
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    rules {
        sorrypage_rule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port enabled
    vlans-enabled
    vs-index 14
}
[root@ve13a:Active:In Sync] config  tmsh list ltm rule sorrypage_rule
ltm rule sorrypage_rule {
when HTTP_REQUEST {
  HTTP::respond 200 content "this is sorry page\n" noserver
}
}

// test

[root@centos1 ~] curl -ik https://172.28.24.10
HTTP/1.0 200 OK
Connection: Keep-Alive
Content-Length: 19

this is sorry page

Macaron
Nimbostratus
Jan 04, 2018
Thanks, I see you used when HTTP_REQUEST event in your iRule. The problem is if use this event, than I must have to use HTTP profile with VS which will intern not trigger maintenance page without doing ssl bridging.

The second option I can utilize is hosting maintenance page on an external server and route traffic to that server in case the VS goes down. Not sure if it is possible without SSL bridging.?
nitass
Employee
Jan 04, 2018
I see you used when HTTP_REQUEST event in your iRule. The problem is if use this event that I must have to use HTTP profile with VS which will intern not trigger maintenance page without doing ssl bridging.

there are 2 virtual servers, aren't there? the http profile is in the internal virtual server (i.e. not the external one which is facing users).
Macaron
Nimbostratus
Jan 05, 2018
Worked perfectly fine !!! Thank you

nitass_89166

Noctilucent

Jan 04, 2018

may this be usable?

// config

[root@ve13a:Active:In Sync] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    mask 255.255.255.255
    pool foo
    profiles {
        fastL4 { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 13
}
[root@ve13a:Active:In Sync] config  tmsh list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
            session monitor-enabled
            state down
        }
    }
    monitor fake
}
[root@ve13a:Active:In Sync] config  tmsh list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
  if { [active_members [LB::server pool]] < 1 } {
    virtual sorrypage
  }
}
}

[root@ve13a:Active:In Sync] config  tmsh list ltm virtual sorrypage
ltm virtual sorrypage {
    destination 0.0.0.0:443
    ip-protocol tcp
    mask any
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    rules {
        sorrypage_rule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port enabled
    vlans-enabled
    vs-index 14
}
[root@ve13a:Active:In Sync] config  tmsh list ltm rule sorrypage_rule
ltm rule sorrypage_rule {
when HTTP_REQUEST {
  HTTP::respond 200 content "this is sorry page\n" noserver
}
}

// test

[root@centos1 ~] curl -ik https://172.28.24.10
HTTP/1.0 200 OK
Connection: Keep-Alive
Content-Length: 19

this is sorry page

Macaron
Nimbostratus
Jan 04, 2018
Thanks, I see you used when HTTP_REQUEST event in your iRule. The problem is if use this event, than I must have to use HTTP profile with VS which will intern not trigger maintenance page without doing ssl bridging.

The second option I can utilize is hosting maintenance page on an external server and route traffic to that server in case the VS goes down. Not sure if it is possible without SSL bridging.?
nitass_89166
Noctilucent
Jan 04, 2018
I see you used when HTTP_REQUEST event in your iRule. The problem is if use this event that I must have to use HTTP profile with VS which will intern not trigger maintenance page without doing ssl bridging.

there are 2 virtual servers, aren't there? the http profile is in the internal virtual server (i.e. not the external one which is facing users).
Macaron
Nimbostratus
Jan 05, 2018
Worked perfectly fine !!! Thank you

Forum Discussion

Maintenance page without doing SSL bridging and using HTTP profile

14 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

SSL Bridging verification

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

F5 Maintenance Page

iRule HTML Maintenance Page insert URI Value

iRules Recipe 4: Static Maintenance Page