Bypass maintenance page


#1

Hello there!

I’m looking for a way to bypass the maintenance page on a backend (when all servers are in maintenance mode).

The solution we found is using force-persist but it doesn’t work without use-server.
And this last option doesn’t enable us to use/test load balancing while in maintenance.

The documentation doesn’t mention that force-persist need to be used with use-server or any other option.
But it tells that it works on frontend, backend and listen which, I assume, means force-persist support other options.

Any idea how to achieve this with force-persist or something else?
What is the exhaustive list of options which can be combined with force-persist?

Our bypass conditions are requests coming from some IPs or having a cookie set to true.
(the bypass can be disabled by the clients using an authorized IP with to the cookie set to false)

Here a testing configuration:

defaults
    mode http
    option httpclose
    option redispatch
    option abortonclose

frontend http
    bind *:80
    bind *:443 ssl no-sslv3 crt /etc/pki/tls/certs/app.example.org.pem
    use_backend app

backend app
    server app-01 app-01:80 maxconn 50 check slowstart 30s
    server app-02 app-02:80 maxconn 50 check slowstart 30s
    option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ app.example.org
    errorfile 503 /data/shared/maintenance/http/503.http
    force-persist if { always_true }

When all the servers are disabled, this configuration doesn’t bypass the maintenance page.
We still get the 503.


#2

You don’t have any persistence configured, so forcing persistence is not going to achieve anything.
How would you like haproxy to bypass maintenance mode? How should haproxy pick the server? Via cookies?

Try setting up cookies persistence without any cookie insertion, and then you can manually switch it on by setting the cookies in the browser:

backend app
 cookie hap_bypass_secretkeyblabla
 server app-01 cookie srv-app-01 app-01:80 maxconn 50 check slowstart 30s
 server app-02 cookie srv-app-02 app-02:80 maxconn 50 check slowstart 30s

Then, in your browser set the cookie “hap_bypass_secretkeyblabla” to srv-app-01 or srv-app-02 respectively, for example in Chrome via the developertools console:

document.cookie="hap_bypass_secretkeyblabla=srv-app-01; path=/"

You can assign the same cookie to multiple servers, I believe force-persist should still work. However, you can’t force persistence when no persistence is actually configured.

Also, doublecheck that haproxy doesn’t actually emit the cookies, if that is not what you want and I’d still recommend you use the force-persist option with an IP ACL, to whitelist only specific IPs.


#3

Thank you for your quick reply @lukastribus

You don’t have any persistence configured, so forcing persistence is not going to achieve anything.

This explains everything. So force-persist isn’t exactly what I’m looking for.

Here the ACLs I was testing with:

    acl from_authorized_ip src 192.168.1.11/32
    acl from_authorized_ip src 10.0.0.23/32
    acl has_bypass_cookie_true hdr_sub(cookie) -i BYPASS_MAINTENANCE=true
    force-persist if from_authorized_ip or has_bypass_cookie_true

I finally decided to use a “maintenance” backend:

frontend http
   ...
   acl ...
   #use_backend maintenance unless from_authorized_ip or has_bypass_cookie_true
   use_backend app

backend maintenance
   errorfile 503 /data/shared/maintenance/http/503.http

For the moment, I un/comment the line, but I plan to use a value in a file to trigger it.