Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[reverse_proxy] active_health check to http endpoint does not work when upstream is via ssl/tls #6489

Open
KlettIT opened this issue Aug 1, 2024 · 2 comments
Open

[reverse_proxy] active_health check to http endpoint does not work when upstream is via ssl/tls #6489

KlettIT opened this issue Aug 1, 2024 · 2 comments

Comments

@KlettIT
Copy link

KlettIT commented Aug 1, 2024

Hi,

I have a reverse_proxy configuration here which uses an https endpoint as upstream. but the health check must take place on port 80 (http). i have configured this as far as possible.

              "handler": "reverse_proxy",
              "transport": {
                "protocol": "http",
                "tls": {
                  "server_name": "sso.example.com"
                }
              },
              "load_balancing": {
                "selection_policy": { "policy": "client_ip_hash" }
              },
              "health_checks": {
                "active": {
                  "uri": "/adfs/probe",
                  "interval": "30s",
                  "timeout": "5s",
                  "passes": 2,
                  "fails": 3,
                  "port": 80,
                  "expect_status": 200
                }
              },
              "upstreams": [
                {
                  "dial": "SERVER01:443"
                },
                {
                  "dial": "SERVER02:443"
                }
              ]
            }
          ]

Although I have defined port 80 in health_check, an https request is sent here and not an http request.

Aug 01 10:14:45 SIT-NLBP06.razor.k-sys.io caddy_custom[43523]: {"level":"info","ts":1722500085.501933,"logger":"http.handlers.reverse_proxy.health_checker.active","msg":"HTTP request failed","host":"SERVER01:80","error":"Get \"https://SERVER01:80/adfs/probe\": http: server gave HTTP response to HTTPS client"}
Aug 01 10:14:45 SIT-NLBP06.razor.k-sys.io caddy_custom[43523]: {"level":"info","ts":1722500085.5023623,"logger":"http.handlers.reverse_proxy.health_checker.active","msg":"HTTP request failed","host":"SERVER02:80","error":"Get \"https://SERVER02:80/adfs/probe\": http: server gave HTTP response to HTTPS client"}

Is there a way to configure this?
@mholt
Copy link
Member

mholt commented Aug 5, 2024

I don't know if it's a good idea for a health check to use a different port, let alone a different protocol, than the actual requests. 🤔 It kind of defeats the purpose if what is being checked is totally different from what is being proxied.

@KlettIT
Copy link
Author

KlettIT commented Aug 6, 2024

Yes, I understand your point of view and you're not wrong. But then it makes no sense that I can specify the port at all.
My use-case is certainly a bit special here, but if that counts, in HAProxy you can specify the check port and protocol.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mholt @KlettIT