Forum Discussion

Siraj_Arab_1610's avatar
Siraj_Arab_1610
Icon for Nimbostratus rankNimbostratus
Mar 22, 2016

How to create iRule to respond with Maintanence Page for HTTPS site

I have created a maintenance page using html - iFile configurations as below:

 

    when HTTP_REQUEST {
    if { [active_members [LB::server pool]] < 1} {
         switch [string tolower [HTTP::uri]] {
              "/" {
                   HTTP::respond 200 content [ifile get Maintenance] "Content-Type" "text/html"
              }
              "/logo.png" {
                   HTTP::respond 200 content [ifile get logo] "Content-Type" "image/png"
              }
              "/background-pattern.png" {
                   HTTP::respond 200 content [ifile get background-pattern] "Content-Type" "image/png"
              }

         }
    }
}

 

It works great with HTTP Site, no problem there.

But when I apply same iRule to VS running HTTPS service, it fails to generate the sorry page. I am doing SSL Bridging, and not offloading ( This cant be changed to offloading). It works when I opt for offloading though.

It would be a great help if anyone could make it working for HTTPS site with SSL Bridging enabled.

  • It will never work without the BigIP terminating SSL because in order to read or write http headers, you need to decrypt the payload. If you need SSL encryption on the serverside connection, you'll need to decrypt the client-side connection using a clientside ssl profile, then perform http operations using an http profile and iRule(s), and then re-encrypt serverside connections using a serverside ssl profile.

     

  • I am getting client traffic decrypted on F5 and then again get it re-encrypted while sending to server, using client side and server side SSL profiles, All I need to know is iRule syntax which could do what you mentioned " then perform http operations using an http profile and iRule(s)"

     

  • The iRule is correct if you are employing client-side TLS offloading. You must, however, apply the http profile to the Virtual Server, and of course, attach this iRule to that same (TLS terminating) Virtual Server. If, with these set, it's still not working, I'd recommend adding some logging statements.

     

  • Thanks, Vernon. But as I said I need it to work with SSL bridging enabled, not with SSL offloading ( it works with offloading).

     

    As it's financial firm I won't be allowed to do offloading on F5, also there is proxy SSL feature enabled which is why need to have SSL bridging(decrypt and re-encrypt) enabled.

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    It should work fine if you bridge SSL (i.e. terminate SSL & re-encrypt before it leaves the BIG-IP).

    On a different note, you're sending a 200 (OK):

     

    HTTP::respond 200 content [ifile get Maintenance] "Content-Type" "text/html"

     

    However, a maintenance is page should use a 503 (Server Unavailable) rather than a 200 (OK). Many reasons for this: adherence to the RFC, monitoring, and SEO. Simply replace the response code and you'll be all set. Only do this for page requests, not for supporting elements like images.

     

    HTTP::respond 503 content [ifile get Maintenance] "Content-Type" "text/html"

     

  • Hi Siraj,

    if you're by any means not allowed to inspect the SSL connection because of legal issues, then you could just check the pool availability once during CLIENT_ACCEPTED event and then forward the request to an alternate pool (hosting the error page) or even to another VS in a VIP-targeting-VIP configuration to serve the error page on your F5 (see iRules below)

    Note: If using a VIP-targeting-VIP confguration, then make sure the targeting VIP has a Client-SSL-Profile attached using the SSL-Certificate of the original destination Site. In this case you would inspect the request destined to your banking site only in the case the original site is offline. And don't forget to apply a HTTP profile to the targeting VIP to be able to trigger the ErrorPage iRule... 😉

    iRule on existing VS

     

    when CLIENT_ACCEPTED {
        if { [active_members [LB::server pool]] < 1} {
            virtual VS_ERROR_PAGE
        }
    }
    

     

    iRule on VS_ERROR_PAGE

     

    when HTTP_REQUEST {
        switch [string tolower [HTTP::uri]] {
            "/logo.png" {
                HTTP::respond 200 content [ifile get logo] "Content-Type" "image/png"
            }
            "/background-pattern.png" {
                HTTP::respond 200 content [ifile get background-pattern] "Content-Type" "image/png"
            }
            default {
                HTTP::respond 503 content [ifile get Maintenance] "Content-Type" "text/html"
            }
        }
    }
    

     

    Cheers, Kai