In my previous post I’ve showed you how to configure some of the most common ADCs in order to offload the SSL sessions for vRA. Now I am going to show you how you can use some of the benefits that come with SSL termination.
One of this benefits is the ability to serve content directly from the ADC based on some logic. The goal of this post is to help you configure “Outage page” and “Maintenance page” for your vRA environment. You can use only one of the pages or both together. I am going to cover the configuration of F5 BIGIP and Citrix NetScaler.
Maintenance page – this page will be assigned manually during maintenance activities and will inform the users that planned maintenance is being performed. It also allows you to exclude IP ranges from the redirect rule.
Outage page – this page will be always assigned and in case all of the vRA appliances are down it will show a page informing the users that vRA is not available
As a general precaution test this procedure in your lab and deploy it in production at your own risk.
Citrix NetScaler
Create Responder Actions
First we need to create our Responder Actions so the LB can serve HTML pages
Head to NetScaler > AppExpert > Responder > Responder Actions
For our Outage page
Add new action with the following parameters:
Name: outage_page_action
Type: Respond with HTML page
HTML page: [Import your html page here, see below for example]
Response status code: 503
For our Maintenance page
Add new action with the following parameters:
Name: maintenance_page_action
Type: Respond with HTML page
HTML page: [Import your html page here, see below for example]
Response status code: 503
Example: Outage HTML page with refresh every 10 seconds
<!doctype html> <title>Something went wrong</title> <meta http-equiv="refresh" content="10"> <style> body { text-align: center; padding: 150px; } h1 { font-size: 50px; } body { font: 20px Helvetica, sans-serif; color: #333; } article { display: block; text-align: left; width: 650px; margin: 0 auto; } a { color: #dc8100; text-decoration: none; } a:hover { color: #333; text-decoration: none; } </style> <article> <h1>Something went wrong</h1> <div> <p>Sorry for the inconvenience but vRA is not accessible at the moment. Please report this error to [email protected].</p> <p>The Team</p> </div>
Example: Maintenance HTML page with refresh every 10 seconds
<!doctype html> <title>Site maintenance</title> <meta http-equiv="refresh" content="10"> <style> body { text-align: center; padding: 150px; } h1 { font-size: 50px; } body { font: 20px Helvetica, sans-serif; color: #333; } article { display: block; text-align: left; width: 650px; margin: 0 auto; } a { color: #dc8100; text-decoration: none; } a:hover { color: #333; text-decoration: none; } </style> <article> <h1>We will be back soon!</h1> <div> <p>Sorry for the inconvenience but we are performing some maintenance at the moment. If you need to you can always contact us at [email protected], otherwise we will be back online shortly!</p> <p>The Team</p> </div>
Create Responder Policies
After we have our actions in place we need to create policies using them
Head to NetScaler > AppExpert > Responder > Responder Policies
For our Outage page
Add new Responder Policy with the following attributes:
Name: outage_page_action_policy
Action: outage_page_action
Expression: TRUE
For our Maintenance page
During planned maintenance we need to show the maintenance page to our end users, but we also need to make sure that the vRA systems can communicate with each other.
That is why we need to create an expression which contains all the IP addresses of our vRA components – IaaS Managers, IaaS Web, vRA appliances and others. Those addresses will not be redirected to the maintenance page.
You can also add the IP addresses or subnets from which the vRA admins are connecting to vRA, that way they can test and debug during maintenance.
Add new Responder Policy with the following attributes:
Name: maintenance_page_action_policy
Action: maintenance_page_action
Expression: CLIENT.IP.SRC.IN_SUBNET(10.23.90.0/24).NOT||CLIENT.IP.SRC.IN_SUBNET(10.23.89.0/24).NOT
Alternatively if you want to list specific IP addresses you can use CLIENT.IP.SRC.NE(10.23.89.101)||CLIENT.IP.SRC.NE(10.23.90.223) and so on.
Create dummy Service
(Required only for the Outage page)
We need to create dummy Service and ensure that it will always be up.
You can assign any back-end IP to it since you will never be redirected to that IP.
Just make sure you are not assigning IP that you might disable later on.
Head to NetScaler > Traffic Management > Load Balancing > Services
Add new service with the following attributes:
Name: outage_page_srv
IP address: 1.1.1.1 (or anything else, this one is not vital)
Protocol: SSL
Port: 443
Health monitoring: Off
Create dummy Virtual Server
(Required only for the Outage page)
Now we need to create dummy Virtual Server.
You do need an IP address for this one as it won`t be directly addressable.
Head to NetScaler > Traffic Management > Load Balancing > Virtual Servers
Add new virtual server with the following attributes:
Name: outage_page_vs
Protocol: SSL
IP address type: Non addressable
Service binding: outage_page_srv
Server certificates: Select your vRA certificate+key pair
Add Policy: Responder
Add Policy type: Request
Policy name: outage_page_action_policy
Here is the mapping:
Assign the Outage page VS to the vRA virtual appliances VS
(Required only for the Outage page)
Now we need to assign the Outage page VS as a backup for our vRA virtual appliances VS.
That way when the vRA virtual appliances are down the user will see our outage page.
Head to NetScaler > Traffic Management > Load Balancing > Virtual Servers
Edit your vRA VA VS – vs_vra-va-00_443 (I used that name in my previous post, yours might differ)
Click on the + Protection button from the left panel and enter the following info:
Backup virtual server: outage_page_vs
During maintenance: Assign the Maintenance page policy to the vRA virtual appliances VS
To redirect our users to the maintenance page during planned activities we need to assign the maintenance policy to our vRA VA VS.
Head to NetScaler > Traffic Management > Load Balancing > Virtual Servers
Edit your vRA VA VS – vs_vra-va-00_443 (I used that name in my previous post, yours might differ)
Click on the +Policies button from the left panel and enter the following:
Policy: Responder
Type: Request
Policy name: maintenance_page_action_policy
Note that the best practice during maintenance is to disable all related ADC monitors. If those are not disabled the ADC will serve the Outage page instead.
After your planned activities are over, follow the same procedure and remove the Policy from the Virtual Server.
F5 BIGIP LTM
Create Data Group
(Required only for the Maintenance page)
During planned maintenance we need to show the maintenance page to our end users, but we also need to make sure that the vRA systems can communicate with each other.
That is why we need to create a data group which contains all the IP addresses of our vRA components – IaaS Managers, IaaS Web, vRA appliances and others. Those addresses will not be redirected to the maintenance page.
You can also add the IP addresses or subnets from which the vRA admins are connecting to vRA, that way they can test and debug during maintenance.
Go to Local Traffic > iRules : Data Group List
Create a Data Group with name vRA_addresses (important we use this exact name later on in our iRule, if you want to use different name change it there as well) and populate it with the IP addresses of every vRA component.
Create iRules
First we need to create new iRule for the outage page which will be shown in case of unexpected failure.
Note the HTML is embedded in the iRule so feel free to modify it.
Go to Local Traffic > iRules : iRule List
Create an iRule with name outage_page_irule_automatic
Paste the following in Definition:
when RULE_INIT { # sets the timer to return client to host URL set static::stime 10 } when CLIENT_ACCEPTED { set default_pool [LB::server pool] } when HTTP_REQUEST { # If the default pool is down, redirect to the maintenance page if { [active_members $default_pool] < 1 } { # Send an HTTP 503 response with a Javascript meta-refresh pointing to the host using a refresh time HTTP::respond 503 content \ "<!doctype html><title>Something went wrong</title> \ <meta http-equiv='REFRESH' content=$static::stime;url=[HTTP::uri]> \ <style> \ body { text-align: center; padding: 150px; } \ h1 { font-size: 50px; } body { font: 20px Helvetica, sans-serif; color: #333; } \ article { display: block; text-align: left; width: 650px; margin: 0 auto; } \ a { color: #dc8100; text-decoration: none; }\ a:hover { color: #333; text-decoration: none; }\ </style>\ <article>\ <h1>Something went wrong</h1> \ <div> \ <p>Sorry for the inconvenience but vRA is not accessible at the moment. \ Please report this error to [email protected].</p> \ <p>The Team</p> \ </div>" "Content-Type" "text/html" return } }
Now let’s create the iRule which you will assign during planned maintenance
Create an iRule with name maintenance_page_irule_manual
when HTTP_REQUEST { # Do not show to the vRA components if { ! [class match [IP::client_addr] equals vRA_addresses] } { # Always show the maintenance page HTTP::respond 503 content \ "<!doctype html><title>Site Maintenance</title> \ <meta http-equiv='REFRESH' content=$static::stime;url=[HTTP::uri]> \ <style> \ body { text-align: center; padding: 150px; } \ h1 { font-size: 50px; } body { font: 20px Helvetica, sans-serif; color: #333; } \ article { display: block; text-align: left; width: 650px; margin: 0 auto; } \ a { color: #dc8100; text-decoration: none; }\ a:hover { color: #333; text-decoration: none; }\ </style>\ <article>\ <h1>We will be back soon!</h1> \ <div> \ <p>Sorry for the inconvenience but we are performing some maintenance at the moment. \ If you need to you can always contact us at [email protected], otherwise we will be back online shortly!</p> \ <p>The Team</p> \ </div>" "Content-Type" "text/html" return } }
Bind the automatic outage page to our vRA virtual appliances VS
(Required only for the Outage page)
Now we need to edit our vRA appliances VS, assign HTTP profile to it and bind the iRule.
Go to Local Traffic > Virtual Servers : Virtual Server List and find your vRA appliances VS.
(In my previous post I have named it vs_vra-va-00_443 yours however may differ)
Click Edit and set the following attributes:
HTTP Profile Client: http
HTTP Profile Server: (Use Client Profile)
Click Update
Now click on the Resources tab and in the iRules section choose iRule outage_page_irule_automatic
Click Update again
Here how the mapping should look like:
During maintenance: Bind the planned maintenance page to our vRA virtual appliances VS
During planned maintenance, we need to change the iRule so we can make sure that the maintenance page is displayed to our end users, but the vRA components can still communicate.
Go to Local Traffic > Virtual Servers : Virtual Server List and find your vRA appliances VS.
(In my previous post I have named it vs_vra-va-00_443 yours however may differ.)
Click Edit and go to Resources find iRule outage_page_irule_automatic and change it with maintenance_page_irule_manual.
Click Update and you are ready.
Note that the best practice during maintenance is to disable all related ADC monitors. If those are not disabled the ADC will serve the Outage page instead.
After your planned activities are over, follow the same procedure and assign the outage_page_irule_automatic iRule.
If you are interested in more articles like this one stay tuned on VMware Blogs.