Solved

ip / url redirect

Posted on 2016-09-26
13
56 Views
Last Modified: 2016-10-05
Hello EE,

I have a set of pooled servers and for deployment reasons , I want to use a " Blue /Green" deployment for updates . So essentially, the current production is "Blue " ( v1) and when we update a client , they are moved to "Green" v2 . For example, there are 4 servers in the pool , server1( blue) , server2 ( blue), server3 ( green) , server4 ( green) . The external ip is the same and points to all 4, but only 2 ( blue/current prod) are active , and I wish to redirect ONE CLIENT AT A TIME to green set during an update . This is a 2012 R2 IIS8 environment and each client site is hosted on the same internal ip using a wildcard cert . Example , client1.somedomain.ca, client2.somedomain.ca

Since I do not wish to change the public dns records , I need a way to redirect the traffic to the green set ( new ip internal pool) . Initially, I was going to have my could provider configure an irule on the f5 bigip device for this and redirect the traffic this way , but I wish to maintain control over the redirecting of each client from either within IIS or using a proxy service

is there a way to use a service or something in IIS8 to achieve the same result ?
0
Comment
Question by:davesnb
  • 7
  • 6
13 Comments
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
Comment Utility
Load balancers are capable of running a check against a web site to see if a specific page is available.  This is often referred to as a "health check" or "health monitor."

Link:  https://devcentral.f5.com/articles/back-to-basics-health-monitors-and-load-balancing

So in essence this would be the process (I use this in PROD):
** this assumes you have a web farm defined on the LBs **

1. choose a name for the web page to be used in the health check config
1a. I use an HTML file named healthy.html which is a properly formed HTML5 page with an <h1> element that has the content "healthy" in it.
2. place the "healthy.html" file in the content structure of each site to be checked.  I place it in the root of every site.  You could place it deeper in your site, but that is your choice and the flexibility of your LBs.
3. setup the health check on the LB.  I use a frequency of 60 seconds.
4. To take a server out of service, just rename the "healthy.html" to something like "unhealthy.html" or "offline.html."  After a few minutes, the LBs should detect a failure on the health check and prevent the server from answering requests.

This functions at the web site level.  Your server setup would look something like:

1. Server01 (blue = online)
1a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
1b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
1c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

2. Server02 (blue = online)
2a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
2b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
2c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

3. Server03 (green = online, but sites unhealthy)
3a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

4. Server04 (green = online, but sites unhealthy)
4a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

Deployment process:
1. drop code update on site "cliensite1.domain.com" on server 3 & 4
2. flip to Green servers
2a.  rename "healthy.html" on server 1 & 2 to "unhealthy.html"
2b.  rename "unhealthy.html" on server 3 & 4 to "healthy.html"
3. do this for each site as required

Dan
0
 

Author Closing Comment

by:davesnb
Comment Utility
Thanks Dan I like this approach .
0
 

Author Comment

by:davesnb
Comment Utility
HI Dan,

my cloud provider says that SSL offload is critical for this to work , is that correct ? I prefer not to use SSL oflfload due to some of the site configs .
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
I would say that is true because if there is an SSL Certificate being used, it would need to be on the LB so that it could terminate the SSL connection.  The positive side of this is that you would only have to update the SSL Cert once or twice... on the 1 or 2 LBs in operation.

What site configs are of concern?

Dan
0
 

Author Comment

by:davesnb
Comment Utility
I think some of our issues are coming in due to forcing of SSL (redirecting HTTP to HTTPS).  So the sites have been set incorrectly for the lb, the end result was no connection when attempting to work . Wha tis the optimal setting for the sites in IIS for the above to work with SSL offload, just have the "SSLl Settings" set to "ignore" for client certificates? is there anything else to check  ?
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
You are using Client Certificates?

What I've done in the past is drop the production SSL Cert on the LBs.  The http->https redirect is done at the LBs as well.  The LBs are the SSL endpoint for the clients.  Then the LBs act as a client to the websites on the server, make the http(s) request on behalf of the client and forward the response back to the original requester.

If you need end-to-end SSL traffic, you could use different, internally issues SSL certs between the LB & the IIS Servers.

Dan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:davesnb
Comment Utility
No we are using server server certificates. The redirect to https is hard coded in some of the sites ( i just found out)
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
But this may not be a big deal... If you have a wildcard SSL certificate, just use it every where.

What do you mean "hard coded?"  Actually in the code or in the IIS web site config?  I would try to get the "hard coded" redirect removed if possible.

IMO, hard coding anything today goes against any form of best practice.  IIS has redirection capabilities plus the feature of URL Rewrite (which is even more powerful), so doing a redir in code is a waste of effort and white space.

Dan
0
 

Author Comment

by:davesnb
Comment Utility
HI Dan,

Do you have an example health monitor rule for the "healthy.hmtl"/ "unhealthy.html" for your sites loaded on the f5 that you can provide please.

D.
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
0
 

Author Comment

by:davesnb
Comment Utility
Thank you , is it possible to just change the domain names / ips and any other sensitive info . I just need an example compare . Thank you for the links nonetheless.

D.
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
The how to article is the one to go thru then.  I has screenshots.

Getting a dump of my health monitor is complicated and would involve going thru the security department.  Nice ppl but suspicious of everything especially of requests for rule configurations.

Dan
0
 

Author Comment

by:davesnb
Comment Utility
ok no worries , tks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now