Add notice to maintenance mode setting that it uses 5xx HTTP response

[rszrama]

Backdrop (and Drupal) currently returns a 503 HTTP status when the site is in maintenance mode. I believe this is a misunderstanding of HTTP. Maintenance mode is not a server error at all - it is an explicit decision by the administrator of an application on the server to restrict how users of the application may interact with it. 5xx errors should be used when there's an issue with the web server itself.

Per RFC 2616:

The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay. If known, the length of the delay MAY be indicated in a Retry-After header. If no Retry-After is given, the client SHOULD handle the response as it would for a 500 response.

In the case of maintenance mode, I believe we should still simply return a 200 status.

[quicksketch]

Hi @rszrama! I'm not sure. Seems like the spec is a little open to interpretation. "Maintenance of the server"... seems like that could mean maintenance of any software running on the server, whether that's Backdrop, Varnish, Apache, PHP, or whatever. It's all software on the server. If the server were receiving physical maintenance (e.g. a hard drive replacement), it seems unlikely that the server would be able to return a status code at all.

So if an admin puts the site in "maintenance mode" to do something to Backdrop (e.g. apply a code update and run update.php), it seems like that would qualify as maintenance of the server.

But perhaps we should look at it from a different angle. Does the HTTP 503 error cause a problem when interacting with Backdrop sites in maintenance mode?

[rszrama]

Yeah, I'm not quite sure. That said, Daniel Wehner turned up a potentially more devastating reason to retain the 503 code - apparently Google (at least 5 years ago) would react better to a failed index due to a 503 than a 200. It's not entirely clear how that still works given some of the comments in the blog post, but the relevant post is here:

https://googlewebmastercentral.blogspot.de/2011/01/how-to-deal-with-planned-site-downtime.html

(And the Drupal issue is here: https://www.drupal.org/node/2674900)

Part of my issue is that I was actually planning to use maintenance mode for a site's pre-launch. So, the larger site was going to be offline, but it's much easier to prevent accidental access of pages all across the site by putting it in maintenance mode with a custom maintenance theme. In that use case, it should definitely use a 200, but perhaps we should simply document that as an abuse of maintenance mode.

[klonos]

Per RFC 2616:

This seems to have been deprecated: https://www.w3.org/Protocols/rfc2616/rfc2616.html

This document has been superseded. In 2014, RFC2616 was replaced by multiple RFCs (7230-7237). See IETF Documents for more information.

[klonos]

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

I'm not an expert at stuff like this, but @quicksketch seems to be right in that there seems to be room for (mis)interpretation. I also wanted to point to this part of the same document as a perhaps (as I said, I'm no expert) more suited code for the maintenance mode:

10.1.1 100 Continue

The client SHOULD continue with its request. This interim response is used to inform the client that the initial part of the request has been received and has not yet been rejected by the server. The client SHOULD continue by sending the remainder of the request or, if the request has already been completed, ignore this response. The server MUST send a final response after the request has been completed. See section 8.2.3 for detailed discussion of the use and handling of this status code.

[ghost]

I am an expert, and I can confirm that 503 is the right status code for this case. Keep in mind that

• 503 is Service unavailable, not Server
• each response is a specific response to a specific request

In the case of a backdrop server in maintenance mode, the request of "/" is that the home page is not availble, but the response to "/user" is a normal 200 OK : the login service is available.

The response to the login request will depend on the user roles, but this will be another request.

[ghost]

@rszrama : the first meaning of 200 OK is that the response content is the expected response to the request - if your site is an commerce boutique and the user validates the paiement just after the site is in maintenance mode, the maintenance page will not be the expected response... If the "user agent" is actually a smartphone app, this could be important !

[MrHaroldA]

"503 Service temporary unavailable" is by far the best way to serve the maintenance page, even Google confirms that.

[rszrama]

Yeah, fwiw, I'm not convinced by @gifad's comment above - the category of 5xx errors specifically say they relate to the server, even if the 503 says service from the server is temporarily unavailable, but I suppose there's room to suggest the server includes the application running on it and not just the infrastructure running it. However, if it avoids negative impact on search ranking for sites that are taken offline, then it's definitely the right thing to use.

I think the reason it struck me as odd is because I was wanting to use maintenance mode as a pre-launch. In other words, I wasn't taking the site offline to perform an update so much as launching the site with a splash page and some introductory content while building out the rest of the site. I'd still want the landing page to return a 200 and be linked / indexed, so a 503 wouldn't be appropriate in that case.

So I guess the question is - what should sites in pre-launch do, and where should we document the drawbacks of using maintenance mode in that case?

[MrHaroldA]

Your case does not sound like a task for the maintenance mode at all, but a complete other website, including (published) content. This is not what the maintenance mode is for.

[rszrama]

Meh. Maybe. That's why I suggested that myself above.

However, it remains the only way to quickly disable general access to a site while you're working on other parts of a site. I already have a "Coming Soon" module that I can use to implement the same access restrictions to the site that maintenance mode uses, but I still think it's true that maintenance mode needs more documentation to qualify when / how it should be used and to identify the fact that it will instruct Drupal to return an HTTP error code.

[ghost]

Perhaps we should add a notice about this to the maintenance settings page...

[ghost]

I'm building a site for my brother and, until it's ready to launch, I've put the site in maintenance mode (with a customised maintenance page saying 'Coming soon').

My brother is meanwhile setting up his brand on Facebook, Instagram, etc., and noticed that he can't add the website to Facebook. He sent me screenshots from developers.Facebook.com showing the message:

URL returned a bad HTTP response code (503).

Something to consider...