Thursday, 27 November 2014

IBM HTTP Server - maintenance mode

One of my colleagues was looking for some intel. on this earlier this week.

The requirement is to have IBM HTTP Server (IHS) display a different banner page when WebSphere Application Server is placed into maintenance mode e.g. when the WAS cell is being shut down, recycled, upgraded etc.

After a few iterations, and a read of this: -


this is what I configured.

In essence, we place a single file in the IHS DocumentRoot: -

DocumentRoot "/opt/IBM/HTTPServer/htdocs"

called: -

/opt/IBM/HTTPServer/htdocs/serverdown.txt

*BUT* only when we want IHS to display the maintenance page.

IHS then uses the Apache mod_rewrite directive to check for this file and, only if, display a static HTML file: -

maintenance.html

<html>
<head><title>Server Down For Maintenance</title>
<body>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td>
<div align="center">
<span style="font-family:Times New Roman, Times, serif; font-weight:bold;color:#990000; font-size:30px;">
Site is currently down for maintenance.<br>Please try again later.
</span>
</div>
</td>
</tr>
</table>
</body>
</html>


Now I have IHS listening for HTTP connections on port 8080 and listening for HTTPS connections on port 8443.

Therefore, I configured mod_rewrite to do a number of things: -

(1) Route any incoming requests on 8080 to 8443
(2) Route all requests to a specific page - I'm using IBM Business Process Manager here, so I want everyone to go to the Process Center URL
(3) Check for the maintenance-mode indicator file and, if present, present the maintenance page back to the user

This requires me to have TWO discrete blocks in httpd.conf related to mod_rewrite as follows: -

Push everything on port 8080 to the Process Center URL on port 8443

LoadModule rewrite_module /opt/IBM/HTTPServer/modules/mod_rewrite.so
<ifModule mod_rewrite.c>
        RewriteEngine on
        RewriteCond %{SERVER_PORT} !^80$
        RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/ProcessCenter/ [R=301,L]
        RewriteLog logs/rewrite.log
        RewriteLogLevel 3
</ifModule>


Enable SSL, push everything to the Process Center URL, check for the maintenance-mode indicator file

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 8443
<VirtualHost *:8443>
        SSLEnable
        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/ProcessCenter/
        RewriteRule ^(.*)$ https://%{SERVER_NAME}:8443/ProcessCenter/ [R=301,L]
        RewriteCond %{DOCUMENT_ROOT}/serverdown.txt -f
        RewriteRule ^(.*)$ /maintenance.html [PT]
        RewriteLog logs/ssl_rewrite.log
        RewriteLogLevel 3
</VirtualHost>
KeyFile /opt/IBM/HTTPServer/ssl/keystore.kdb
SSLDisable


I've highlighted the mod_rewrite directives above. Also, note that we're logging the rewrite activities in two places: -

HTTP > HTTPS = rewrite.log

e.g.

192.168.1.70 - - [25/Nov/2014:21:50:49 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c64002968/initial] (2) init rewrite engine with requested uri /
192.168.1.70 - - [25/Nov/2014:21:50:49 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c64002968/initial] (3) applying pattern '^(.*)$' to uri '/'
192.168.1.70 - - [25/Nov/2014:21:50:49 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c64002968/initial] (2) rewrite '/' -> 'https://bpm855.uk.ibm.com:8443/ProcessCenter/'
192.168.1.70 - - [25/Nov/2014:21:50:49 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c64002968/initial] (2) explicitly forcing redirect with https://bpm855.uk.ibm.com:8443/ProcessCenter/
192.168.1.70 - - [25/Nov/2014:21:50:49 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c64002968/initial] (1) escaping https://bpm855.uk.ibm.com:8443/ProcessCenter/ for redirect
192.168.1.70 - - [25/Nov/2014:21:50:49 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c64002968/initial] (1) redirect to https://bpm855.uk.ibm.com:8443/ProcessCenter/ [REDIRECT/301]


HTTPS = ssl_rewrite.log

192.168.1.70 - - [26/Nov/2014:18:55:29 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6401a448/initial] (3) applying pattern '^(.*)$' to uri '/ProcessCenter/login.jsp'
192.168.1.70 - - [26/Nov/2014:18:55:29 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6401a448/initial] (3) applying pattern '^(.*)$' to uri '/ProcessCenter/login.jsp'
192.168.1.70 - - [26/Nov/2014:18:55:29 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6401a448/initial] (1) pass through /ProcessCenter/login.jsp


In order to be able to test this, I created a small Bash script to turn maintenance on and off: -

maint.sh
 
#!/bin/bash

if [ $1 = "on" ] ; then
touch /opt/IBM/HTTPServer/htdocs/serverdown.txt
else 
rm /opt/IBM/HTTPServer/htdocs/serverdown.txt
fi


When I turn maintenance mode on: -

./maint.sh on

and hit IHS on port 8080: -


this is what I see in rewrite.log: -

192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c5c015f98/initial] (2) init rewrite engine with requested uri /
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c5c015f98/initial] (3) applying pattern '^(.*)$' to uri '/'
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c5c015f98/initial] (2) rewrite '/' -> 'https://bpm855.uk.ibm.com:8443/ProcessCenter/'
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c5c015f98/initial] (2) explicitly forcing redirect with https://bpm855.uk.ibm.com:8443/ProcessCenter/
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c5c015f98/initial] (1) escaping https://bpm855.uk.ibm.com:8443/ProcessCenter/ for redirect
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#13c1930][rid#7f1c5c015f98/initial] (1) redirect to https://bpm855.uk.ibm.com:8443/ProcessCenter/ [REDIRECT/301]


and this is what I see in ssl_rewrite.log: -

192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6405c208/initial] (2) init rewrite engine with requested uri /ProcessCenter/
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6405c208/initial] (3) applying pattern '^(.*)$' to uri '/ProcessCenter/'
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6405c208/initial] (3) applying pattern '^(.*)$' to uri '/ProcessCenter/'
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6405c208/initial] (2) rewrite '/ProcessCenter/' -> '/maintenance.html'
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c6405c208/initial] (2) forcing '/maintenance.html' to get passed through to next API URI-to-filename handler
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c64018438/initial] (2) init rewrite engine with requested uri /favicon.ico
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c64018438/initial] (3) applying pattern '^(.*)$' to uri '/favicon.ico'
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c64018438/initial] (2) rewrite '/favicon.ico' -> 'https://bpm855.uk.ibm.com:8443/ProcessCenter/'
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c64018438/initial] (2) explicitly forcing redirect with https://bpm855.uk.ibm.com:8443/ProcessCenter/
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c64018438/initial] (1) escaping https://bpm855.uk.ibm.com:8443/ProcessCenter/ for redirect
192.168.1.70 - - [27/Nov/2014:07:11:23 +0000] [bpm855.uk.ibm.com/sid#14326c8][rid#7f1c64018438/initial] (1) redirect to https://bpm855.uk.ibm.com:8443/ProcessCenter/ [REDIRECT/301]


Once I turn maintenance mode off: -

./maint.sh off

things return to normal :-)

Oh, what fun :-)


No comments: