Solved

ip / url redirect

Posted on 2016-09-26
13
67 Views
Last Modified: 2016-10-05
Hello EE,

I have a set of pooled servers and for deployment reasons , I want to use a " Blue /Green" deployment for updates . So essentially, the current production is "Blue " ( v1) and when we update a client , they are moved to "Green" v2 . For example, there are 4 servers in the pool , server1( blue) , server2 ( blue), server3 ( green) , server4 ( green) . The external ip is the same and points to all 4, but only 2 ( blue/current prod) are active , and I wish to redirect ONE CLIENT AT A TIME to green set during an update . This is a 2012 R2 IIS8 environment and each client site is hosted on the same internal ip using a wildcard cert . Example , client1.somedomain.ca, client2.somedomain.ca

Since I do not wish to change the public dns records , I need a way to redirect the traffic to the green set ( new ip internal pool) . Initially, I was going to have my could provider configure an irule on the f5 bigip device for this and redirect the traffic this way , but I wish to maintain control over the redirecting of each client from either within IIS or using a proxy service

is there a way to use a service or something in IIS8 to achieve the same result ?
0
Comment
Question by:davesnb
  • 7
  • 6
13 Comments
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41817581
Load balancers are capable of running a check against a web site to see if a specific page is available.  This is often referred to as a "health check" or "health monitor."

Link:  https://devcentral.f5.com/articles/back-to-basics-health-monitors-and-load-balancing

So in essence this would be the process (I use this in PROD):
** this assumes you have a web farm defined on the LBs **

1. choose a name for the web page to be used in the health check config
1a. I use an HTML file named healthy.html which is a properly formed HTML5 page with an <h1> element that has the content "healthy" in it.
2. place the "healthy.html" file in the content structure of each site to be checked.  I place it in the root of every site.  You could place it deeper in your site, but that is your choice and the flexibility of your LBs.
3. setup the health check on the LB.  I use a frequency of 60 seconds.
4. To take a server out of service, just rename the "healthy.html" to something like "unhealthy.html" or "offline.html."  After a few minutes, the LBs should detect a failure on the health check and prevent the server from answering requests.

This functions at the web site level.  Your server setup would look something like:

1. Server01 (blue = online)
1a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
1b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
1c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

2. Server02 (blue = online)
2a.  clientsite1.domain.com - healthy.html in the site root, returns a http 200 when hit
2b.  clientsite2.domain.com - healthy.html in the site root, returns a http 200 when hit
2c.  clientsite3.domain.com - healthy.html in the site root, returns a http 200 when hit

3. Server03 (green = online, but sites unhealthy)
3a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
3c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

4. Server04 (green = online, but sites unhealthy)
4a.  clientsite1.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4b.  clientsite2.domain.com - unhealthy.html in the root, hit to healthy.html returns 404
4c.  clientsite3.domain.com - unhealthy.html in the root, hit to healthy.html returns 404

Deployment process:
1. drop code update on site "cliensite1.domain.com" on server 3 & 4
2. flip to Green servers
2a.  rename "healthy.html" on server 1 & 2 to "unhealthy.html"
2b.  rename "unhealthy.html" on server 3 & 4 to "healthy.html"
3. do this for each site as required

Dan
0
 

Author Closing Comment

by:davesnb
ID: 41818256
Thanks Dan I like this approach .
0
 

Author Comment

by:davesnb
ID: 41821636
HI Dan,

my cloud provider says that SSL offload is critical for this to work , is that correct ? I prefer not to use SSL oflfload due to some of the site configs .
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41821646
I would say that is true because if there is an SSL Certificate being used, it would need to be on the LB so that it could terminate the SSL connection.  The positive side of this is that you would only have to update the SSL Cert once or twice... on the 1 or 2 LBs in operation.

What site configs are of concern?

Dan
0
 

Author Comment

by:davesnb
ID: 41821706
I think some of our issues are coming in due to forcing of SSL (redirecting HTTP to HTTPS).  So the sites have been set incorrectly for the lb, the end result was no connection when attempting to work . Wha tis the optimal setting for the sites in IIS for the above to work with SSL offload, just have the "SSLl Settings" set to "ignore" for client certificates? is there anything else to check  ?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41821731
You are using Client Certificates?

What I've done in the past is drop the production SSL Cert on the LBs.  The http->https redirect is done at the LBs as well.  The LBs are the SSL endpoint for the clients.  Then the LBs act as a client to the websites on the server, make the http(s) request on behalf of the client and forward the response back to the original requester.

If you need end-to-end SSL traffic, you could use different, internally issues SSL certs between the LB & the IIS Servers.

Dan
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:davesnb
ID: 41821747
No we are using server server certificates. The redirect to https is hard coded in some of the sites ( i just found out)
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41821788
But this may not be a big deal... If you have a wildcard SSL certificate, just use it every where.

What do you mean "hard coded?"  Actually in the code or in the IIS web site config?  I would try to get the "hard coded" redirect removed if possible.

IMO, hard coding anything today goes against any form of best practice.  IIS has redirection capabilities plus the feature of URL Rewrite (which is even more powerful), so doing a redir in code is a waste of effort and white space.

Dan
0
 

Author Comment

by:davesnb
ID: 41829940
HI Dan,

Do you have an example health monitor rule for the "healthy.hmtl"/ "unhealthy.html" for your sites loaded on the f5 that you can provide please.

D.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41829956
0
 

Author Comment

by:davesnb
ID: 41829968
Thank you , is it possible to just change the domain names / ips and any other sensitive info . I just need an example compare . Thank you for the links nonetheless.

D.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 41829986
The how to article is the one to go thru then.  I has screenshots.

Getting a dump of my health monitor is complicated and would involve going thru the security department.  Nice ppl but suspicious of everything especially of requests for rule configurations.

Dan
0
 

Author Comment

by:davesnb
ID: 41830001
ok no worries , tks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Change local server setting in php 6 81
Has my website been infiltrated? 21 63
Hosting WCF service on IIS6 with SSL enabled 1 48
Lync Mobile not working 11 89
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now