Easy unavailability page in IIS

AcacioPN

Staff

Discussion

Hello all

A lot of you have probably had problems setting up complete unavailability of your public web site running the Agile Platform on IIS; for example, to run Maintenance tasks.

Sure, if you want to put one individual application offline you can use the Put Offline option in Service Center, but what if you want to bring everything down?
Or what if you are using a older version of the Agile Platform (6.0-) with out the Put Offline option?

At IIS level there are multiple ways to cut access to an application. My prefered way is to use a trick based on the 403.6 error - that means creating a list of IP that are allowed to access and leave the others out.
In this scenario I will only allow 127.0.0.1 to pass through - this will give me the option to access the apps and Service Center when logged on the server to confirm that things are working after the maintenance is complete.

This is how it is done.

Prepare the server

This is something you do only once in each server to prepare it.

--

1. Create an HTML maintenance page, and save it somewhere. The simplest HTML content you may use is something like:

<html><body><p>This server is under maintenance</p></body></html>

Save it in a file in the server - I suggest C:\Inetpub\wwwroot\maintenance.html

--

2. Now create the custom error page for the 403.6 error to point to this page:

--

3. Add a default "allow entry" for 127.0.0.1. For this, go to IP Address and Domain Restrictions.
If you do not find this option, you need to install it in Server Manager.

--

4. Finally fix a setting in ApplicationHost.Config that prevents you from using absolute paths in error pages. For this, open a Notepad (right-click, Run As Administrator), open file C:\Windows\System32\InetSRV\Config\ApplicationHost.config, locate the tag <httpErrors and add attribute allowAbsolutePathsWhenDelegated="true".
For this step, make sure to make a backup copy of the file before any editing.

Put the server offline

When you want to put your server offline you need to go back to IP Address and Domain Restrictions.
Here, choose Edit Feature Settings and switch the default to Deny:

When you do this, immediately all accesses to your IIS from outside the server will produce this result:

But you will still be able to access from inside the machine (and timers continue to run, and etc).

Bring the server back online

For this, simply revert the IP Address and Domain Restrictions - from Deny to Allow.

If you have any questions or suggestions for improvements please let me know.

Cheers,

Acácio Porta Nova

17 Jan 2013

Gonçalo Martins

Staff

Great post Acácio..
I never done this before but it saves a lot of time..
And I have to say that is very well explained..

Kind Regards,
Gonçalo M.

17 Jan 2013

Owain Jones

I have just done this and it works great!

I was hoping to utilize the IIS app_offline.htm feature, but I can't figure it out. This works and is very easy to do especially after the initial setup.

Thanks!
Owain

18 Jan 2013

1 reply

18 Jan 2013

Show thread

Hide thread

AcacioPN

Staff

Owain Jones wrote:

Hi Owain

I considered using the app_offline.htm feature for this tutorial, but dropped it since it has at least 3 problems:

It depends on .NET, so it is affected by limitations if SEO feature is used (e.g. if a request needs to be moved between worker processes);
Given the architecture of the Agile Platform (with multiple virtual directories / applications in IIS - one for each eSpace) you would have to place one app_offline.html for each eSpace AND for the root level - a lot more work than the suggested approach;
It does not allow you to keep access to the apps for testing purposes.

Cheers,
Acácio Porta Nova

18 Jan 2013

Pedro Cardoso

Great post Acácio!

19 Jan 2013

Ivo Gonçalves

Hello,

Recently I had to do this same configuration using Windows Server 2012 R2 and I've found some minor differences from the original post, which was built for Windows Server 2008. I decided to share with you the configurations in case you're already using Windows Server 2012 R2.

While Windows Server 2008 R2 comes with IIS 7.5 Windows Server 2012 R2 comes with IIS 8.5. For the last the trick based on 403.6 error won't work, instead you have to configure IIS maintenance page to be shown when the HTTP error code 403.503 is sent.

This is how you can do it for Windows Server 2012 R2:

Prepare the server

1. For this scenario you're required to install IIS IP Address and Domain Restrictions feature. If you've this feature already installed skip to #2.

1.1 Open Server Manager->Manage->Add Roles and Features

--

1.2 Install IP Address and Domain Restrictions feature

--

2. Create you maintenance page and upload it to the server. For this example I'm going to save the maintenance page at C:\ineput\wwwroot\maintenance.html

--

3. Create a custom error page for the 403.503 error to point to your maintenance page

3.1. IIS Manager->Default Web Site

3.2. Add a new error page

3.3. Configure the status code and the file path for your maintenance page

--

4. Add a default "allow entry" for 127.0.0.1 using IP Address and Domain Restrictions

4.1. IIS Manager->Default Web Site->IP Address and Domain Restrictions

4.2. Add Allow Entry

4.3. Add the authorized IP Address

5. By default IIS won't allow you to use absolute paths for error pages and you must change this setting in order to use your maintenance page

5.1. IIS Manager-> Server Name (IIS ROOT)->Configuration Editor

5.2. Select system.webServer/httpErrors and change "allowAbsolutePathsWhenDelegated" value from false to true

Put the server offline

1. Deny the access for unauthorized IP Addresses

1.1 IIS Manager -> Default Web Site -> IP Address and Domain Restrictions

1.2. Edit Feature Settings

2. Test the access

2.1. Maintenance Page

2.2. Access inside the machine

Bring the server back online

1. Revert IP Address and Domain Restrictions

1.1. IIS Manager -> Default Web Site -> IP Address and Domain Restrictions

1.2. Edit Feature Settings

1.3. Server available again

Kind regards,
Ivo Gonçalves

17 Aug 2015

Duarte Santos

Staff

This does not apply to version 10.

The addition to the web.config of each application of the following, invalidates the configuration.

Will keep you guys posted after further analysis how to proceed.

21 Sep 2017

2 replies

Last reply 29 May 2020

Show thread

Hide thread

Pedro Menezes

Duarte Santos wrote:

This does not apply to version 10.

The addition to the web.config of each application of the following, invalidates the configuration.

Will keep you guys posted after further analysis how to proceed.

Hi Duarte

I know this is maybe a dead discussion. But did you guys in OutSystems figured out the workaround to apply this to OutSystems 10 and later? I've look for that line in OutSystems Apps in web.config and didn't found it....

Do you really think this won't work on OutSystems 10 and later versions?

Thank you

29 May 2020

AcacioPN

Staff

pedro menezes wrote:

Duarte Santos wrote:

This does not apply to version 10.

The addition to the web.config of each application of the following, invalidates the configuration.

Will keep you guys posted after further analysis how to proceed.

Hi Duarte

Do you really think this won't work on OutSystems 10 and later versions?

Thank you

If something is added explicitly (in this case the "existingReponse" part) to web.config I suspect you can override that with a FactoryConfiguration rule (with an XSLT rule to change the value to something else).

I'm just not sure what the impact would be - it needs to be tested.

Cheers,
Acácio

29 May 2020

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines