ip / url redirect

Hello EE,

I have a set of pooled servers and for deployment reasons , I want to use a " Blue /Green" deployment for updates . So essentially, the current production is "Blue " ( v1) and when we update a client , they are moved to "Green" v2 . For example, there are 4 servers in the pool , server1( blue) , server2 ( blue), server3 ( green) , server4 ( green) . The external ip is the same and points to all 4, but only 2 ( blue/current prod) are active , and I wish to redirect ONE CLIENT AT A TIME to green set during an update . This is a 2012 R2 IIS8 environment and each client site is hosted on the same internal ip using a wildcard cert . Example , client1.somedomain.ca, client2.somedomain.ca

Since I do not wish to change the public dns records , I need a way to redirect the traffic to the green set ( new ip internal pool) . Initially, I was going to have my could provider configure an irule on the f5 bigip device for this and redirect the traffic this way , but I wish to maintain control over the redirecting of each client from either within IIS or using a proxy service

is there a way to use a service or something in IIS8 to achieve the same result ?
davesnbAsked:
Who is Participating?
 
Dan McFaddenConnect With a Mentor Systems EngineerCommented:
Load balancers are capable of running a check against a web site to see if a specific page is available.  This is often referred to as a "health check" or "health monitor."

Link:  https://devcentral.f5.com/articles/back-to-basics-health-monitors-and-load-balancing

So in essence this would be the process (I use this in PROD):
** this assumes you have a web farm defined on the LBs **

1. choose a name for the web page to be used in the health check config
1a. I use an HTML file named healthy.html which is a properly formed HTML5 page with an <h1> element that has the content "healthy" in it.
2. place the "healthy.html" file in the content structure of each site to be checked.  I place it in the root of every site.  You could place it deeper in your site, but that is your choice and the flexibility of your LBs.
3. setup the health check on the LB.  I use a frequency of 60 seconds.
4. To take a server out of service, just rename the "healthy.html" to something like "unhealthy.html" or "offline.html."  After a few minutes, the LBs should detect a failure on the health check and prevent the server from answering requests.

This functions at the web site level.  Your server setup would look something like:

1. Server01 (blue = online)
1a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
1b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
1c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

2. Server02 (blue = online)
2a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
2b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
2c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

3. Server03 (green = online, but sites unhealthy)
3a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

4. Server04 (green = online, but sites unhealthy)
4a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

Deployment process:
1. drop code update on site "cliensite1.domain.com" on server 3 & 4
2. flip to Green servers
2a.  rename "healthy.html" on server 1 & 2 to "unhealthy.html"
2b.  rename "unhealthy.html" on server 3 & 4 to "healthy.html"
3. do this for each site as required

Dan
0
 
davesnbAuthor Commented:
Thanks Dan I like this approach .
0
 
davesnbAuthor Commented:
HI Dan,

my cloud provider says that SSL offload is critical for this to work , is that correct ? I prefer not to use SSL oflfload due to some of the site configs .
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Dan McFaddenSystems EngineerCommented:
I would say that is true because if there is an SSL Certificate being used, it would need to be on the LB so that it could terminate the SSL connection.  The positive side of this is that you would only have to update the SSL Cert once or twice... on the 1 or 2 LBs in operation.

What site configs are of concern?

Dan
0
 
davesnbAuthor Commented:
I think some of our issues are coming in due to forcing of SSL (redirecting HTTP to HTTPS).  So the sites have been set incorrectly for the lb, the end result was no connection when attempting to work . Wha tis the optimal setting for the sites in IIS for the above to work with SSL offload, just have the "SSLl Settings" set to "ignore" for client certificates? is there anything else to check  ?
0
 
Dan McFaddenSystems EngineerCommented:
You are using Client Certificates?

What I've done in the past is drop the production SSL Cert on the LBs.  The http->https redirect is done at the LBs as well.  The LBs are the SSL endpoint for the clients.  Then the LBs act as a client to the websites on the server, make the http(s) request on behalf of the client and forward the response back to the original requester.

If you need end-to-end SSL traffic, you could use different, internally issues SSL certs between the LB & the IIS Servers.

Dan
0
 
davesnbAuthor Commented:
No we are using server server certificates. The redirect to https is hard coded in some of the sites ( i just found out)
0
 
Dan McFaddenSystems EngineerCommented:
But this may not be a big deal... If you have a wildcard SSL certificate, just use it every where.

What do you mean "hard coded?"  Actually in the code or in the IIS web site config?  I would try to get the "hard coded" redirect removed if possible.

IMO, hard coding anything today goes against any form of best practice.  IIS has redirection capabilities plus the feature of URL Rewrite (which is even more powerful), so doing a redir in code is a waste of effort and white space.

Dan
0
 
davesnbAuthor Commented:
HI Dan,

Do you have an example health monitor rule for the "healthy.hmtl"/ "unhealthy.html" for your sites loaded on the f5 that you can provide please.

D.
0
 
Dan McFaddenSystems EngineerCommented:
0
 
davesnbAuthor Commented:
Thank you , is it possible to just change the domain names / ips and any other sensitive info . I just need an example compare . Thank you for the links nonetheless.

D.
0
 
Dan McFaddenSystems EngineerCommented:
The how to article is the one to go thru then.  I has screenshots.

Getting a dump of my health monitor is complicated and would involve going thru the security department.  Nice ppl but suspicious of everything especially of requests for rule configurations.

Dan
0
 
davesnbAuthor Commented:
ok no worries , tks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.