search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
56.98k stars 3.99k forks source link

[reverse_proxy] active_health check to http endpoint does not work when upstream is via ssl/tls #6489

Open KlettIT opened 1 month ago

KlettIT commented 1 month ago

Hi,

I have a reverse_proxy configuration here which uses an https endpoint as upstream. but the health check must take place on port 80 (http). i have configured this as far as possible.

              "handler": "reverse_proxy",
              "transport": {
                "protocol": "http",
                "tls": {
                  "server_name": "sso.example.com"
                }
              },
              "load_balancing": {
                "selection_policy": { "policy": "client_ip_hash" }
              },
              "health_checks": {
                "active": {
                  "uri": "/adfs/probe",
                  "interval": "30s",
                  "timeout": "5s",
                  "passes": 2,
                  "fails": 3,
                  "port": 80,
                  "expect_status": 200
                }
              },
              "upstreams": [
                {
                  "dial": "SERVER01:443"
                },
                {
                  "dial": "SERVER02:443"
                }
              ]
            }
          ]

Although I have defined port 80 in health_check, an https request is sent here and not an http request. 

Aug 01 10:14:45 SIT-NLBP06.razor.k-sys.io caddy_custom[43523]: {"level":"info","ts":1722500085.501933,"logger":"http.handlers.reverse_proxy.health_checker.active","msg":"HTTP request failed","host":"SERVER01:80","error":"Get \"https://SERVER01:80/adfs/probe\": http: server gave HTTP response to HTTPS client"}
Aug 01 10:14:45 SIT-NLBP06.razor.k-sys.io caddy_custom[43523]: {"level":"info","ts":1722500085.5023623,"logger":"http.handlers.reverse_proxy.health_checker.active","msg":"HTTP request failed","host":"SERVER02:80","error":"Get \"https://SERVER02:80/adfs/probe\": http: server gave HTTP response to HTTPS client"}

Is there a way to configure this?

mholt commented 1 month ago

I don't know if it's a good idea for a health check to use a different port, let alone a different protocol, than the actual requests. :thinking: It kind of defeats the purpose if what is being checked is totally different from what is being proxied.

KlettIT commented 1 month ago

Yes, I understand your point of view and you're not wrong. But then it makes no sense that I can specify the port at all. My use-case is certainly a bit special here, but if that counts, in HAProxy you can specify the check port and protocol.