Solved

ip / url redirect

Posted on 2016-09-26
13
71 Views
Last Modified: 2016-10-05
Hello EE,

I have a set of pooled servers and for deployment reasons , I want to use a " Blue /Green" deployment for updates . So essentially, the current production is "Blue " ( v1) and when we update a client , they are moved to "Green" v2 . For example, there are 4 servers in the pool , server1( blue) , server2 ( blue), server3 ( green) , server4 ( green) . The external ip is the same and points to all 4, but only 2 ( blue/current prod) are active , and I wish to redirect ONE CLIENT AT A TIME to green set during an update . This is a 2012 R2 IIS8 environment and each client site is hosted on the same internal ip using a wildcard cert . Example , client1.somedomain.ca, client2.somedomain.ca

Since I do not wish to change the public dns records , I need a way to redirect the traffic to the green set ( new ip internal pool) . Initially, I was going to have my could provider configure an irule on the f5 bigip device for this and redirect the traffic this way , but I wish to maintain control over the redirecting of each client from either within IIS or using a proxy service

is there a way to use a service or something in IIS8 to achieve the same result ?
0
Comment
Question by:davesnb
  • 7
  • 6
13 Comments
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41817581
Load balancers are capable of running a check against a web site to see if a specific page is available.  This is often referred to as a "health check" or "health monitor."

Link:  https://devcentral.f5.com/articles/back-to-basics-health-monitors-and-load-balancing

So in essence this would be the process (I use this in PROD):
** this assumes you have a web farm defined on the LBs **

1. choose a name for the web page to be used in the health check config
1a. I use an HTML file named healthy.html which is a properly formed HTML5 page with an <h1> element that has the content "healthy" in it.
2. place the "healthy.html" file in the content structure of each site to be checked.  I place it in the root of every site.  You could place it deeper in your site, but that is your choice and the flexibility of your LBs.
3. setup the health check on the LB.  I use a frequency of 60 seconds.
4. To take a server out of service, just rename the "healthy.html" to something like "unhealthy.html" or "offline.html."  After a few minutes, the LBs should detect a failure on the health check and prevent the server from answering requests.

This functions at the web site level.  Your server setup would look something like:

1. Server01 (blue = online)
1a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
1b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
1c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

2. Server02 (blue = online)
2a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
2b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
2c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

3. Server03 (green = online, but sites unhealthy)
3a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

4. Server04 (green = online, but sites unhealthy)
4a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

Deployment process:
1. drop code update on site "cliensite1.domain.com" on server 3 & 4
2. flip to Green servers
2a.  rename "healthy.html" on server 1 & 2 to "unhealthy.html"
2b.  rename "unhealthy.html" on server 3 & 4 to "healthy.html"
3. do this for each site as required

Dan
0
 

Author Closing Comment

by:davesnb
ID: 41818256
Thanks Dan I like this approach .
0
 

Author Comment

by:davesnb
ID: 41821636
HI Dan,

my cloud provider says that SSL offload is critical for this to work , is that correct ? I prefer not to use SSL oflfload due to some of the site configs .
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41821646
I would say that is true because if there is an SSL Certificate being used, it would need to be on the LB so that it could terminate the SSL connection.  The positive side of this is that you would only have to update the SSL Cert once or twice... on the 1 or 2 LBs in operation.

What site configs are of concern?

Dan
0
 

Author Comment

by:davesnb
ID: 41821706
I think some of our issues are coming in due to forcing of SSL (redirecting HTTP to HTTPS).  So the sites have been set incorrectly for the lb, the end result was no connection when attempting to work . Wha tis the optimal setting for the sites in IIS for the above to work with SSL offload, just have the "SSLl Settings" set to "ignore" for client certificates? is there anything else to check  ?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41821731
You are using Client Certificates?

What I've done in the past is drop the production SSL Cert on the LBs.  The http->https redirect is done at the LBs as well.  The LBs are the SSL endpoint for the clients.  Then the LBs act as a client to the websites on the server, make the http(s) request on behalf of the client and forward the response back to the original requester.

If you need end-to-end SSL traffic, you could use different, internally issues SSL certs between the LB & the IIS Servers.

Dan
0
 

Author Comment

by:davesnb
ID: 41821747
No we are using server server certificates. The redirect to https is hard coded in some of the sites ( i just found out)
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41821788
But this may not be a big deal... If you have a wildcard SSL certificate, just use it every where.

What do you mean "hard coded?"  Actually in the code or in the IIS web site config?  I would try to get the "hard coded" redirect removed if possible.

IMO, hard coding anything today goes against any form of best practice.  IIS has redirection capabilities plus the feature of URL Rewrite (which is even more powerful), so doing a redir in code is a waste of effort and white space.

Dan
0
 

Author Comment

by:davesnb
ID: 41829940
HI Dan,

Do you have an example health monitor rule for the "healthy.hmtl"/ "unhealthy.html" for your sites loaded on the f5 that you can provide please.

D.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41829956
0
 

Author Comment

by:davesnb
ID: 41829968
Thank you , is it possible to just change the domain names / ips and any other sensitive info . I just need an example compare . Thank you for the links nonetheless.

D.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41829986
The how to article is the one to go thru then.  I has screenshots.

Getting a dump of my health monitor is complicated and would involve going thru the security department.  Nice ppl but suspicious of everything especially of requests for rule configurations.

Dan
0
 

Author Comment

by:davesnb
ID: 41830001
ok no worries , tks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question