kamal icon indicating copy to clipboard operation
kamal copied to clipboard
verified publisher icon basecamp

Allow specifying separate port for health check

Open petromir opened this issue 1 year ago • 10 comments

I have the following settings of the proxy in kamal.yaml file

proxy:
  app_port: 8080
  response_timeout: 10
  healthcheck:
    interval: 3
    path: /health
    timeout: 3

Usually, the "management" (a.k.a observability - health, metrics, prometheus etc.) endpoints are served on a different port not exposed to outside world, e.g. 8181

Could you please add another property to specify different port for the health check, so we end up with

proxy:
  app_port: 8080
  response_timeout: 10
  healthcheck:
    interval: 3
    path: /health
    port: 8181 # the new shiny property
    timeout: 3

petromir avatar Nov 20 '24 10:11 petromir

@djmb I can implement this if you are okay to adding this.

igor-alexandrov avatar Nov 26 '24 10:11 igor-alexandrov

Even though I agree such feature could be useful, I want to note - last time I checked Kamal does the healthcheck on the IP address and not on the domain (i.e. host header is empty) so it's already hidden from the outside world - Kamal proxy only forwards domain requests. So the only thing currently needed is for your app not to return health check responses with domain requests.

As it is unclear if the current behavior is intended or simply a coincidence, it would certainly be better being able to explicitly configure it

a3kov avatar Nov 27 '24 15:11 a3kov

the only thing currently needed is for your app not to return health check responses with domain requests.

I prefer configuration over coding a filter. With the port configuration I don't even need to change the firewall in my server provider.

petromir avatar Nov 29 '24 19:11 petromir

@petromir I was wrong in my initial answer. Kamal and kamal-proxy require health check route to be exposed outside the container, as the health check functionality is implemented directly in the kamal-proxy server.

igor-alexandrov avatar Dec 04 '24 11:12 igor-alexandrov

@igor-alexandrov exposing it outside of the container is not an issue, just the port as I don't want to use the one open to the public.

petromir avatar Dec 04 '24 21:12 petromir

@igor-alexandrov any movement around this?

petromir avatar Dec 19 '24 18:12 petromir

Unfortunately, nothing from my side due to a lack of time. I hope it will get better soon.

igor-alexandrov avatar Dec 20 '24 05:12 igor-alexandrov

@petromir This is also at the kamal-proxy level, but would need to be bubbled up as an option in Kamal.

I opened a similar discussion on the kamal-proxy repo(https://github.com/basecamp/kamal-proxy/discussions/132) for an otel project I'm working on. My use case is that the app_port only accepts POST requests and the health check endpoint is on a different port.

nickhammond avatar Jun 10 '25 02:06 nickhammond

+1 - even solace has a different health check port by default

akil-rails avatar Jul 22 '25 03:07 akil-rails

Can be updated once https://github.com/basecamp/kamal-proxy/pull/152 is released

djmb avatar Nov 07 '25 10:11 djmb