caddy icon indicating copy to clipboard operation
caddy copied to clipboard
verified publisher icon caddyserver

[reverse_proxy] active_health check to http endpoint does not work when upstream is via ssl/tls

Open KlettIT opened this issue 1 year ago • 3 comments

Hi,

I have a reverse_proxy configuration here which uses an https endpoint as upstream. but the health check must take place on port 80 (http). i have configured this as far as possible.

              "handler": "reverse_proxy",
              "transport": {
                "protocol": "http",
                "tls": {
                  "server_name": "sso.example.com"
                }
              },
              "load_balancing": {
                "selection_policy": { "policy": "client_ip_hash" }
              },
              "health_checks": {
                "active": {
                  "uri": "/adfs/probe",
                  "interval": "30s",
                  "timeout": "5s",
                  "passes": 2,
                  "fails": 3,
                  "port": 80,
                  "expect_status": 200
                }
              },
              "upstreams": [
                {
                  "dial": "SERVER01:443"
                },
                {
                  "dial": "SERVER02:443"
                }
              ]
            }
          ]

Although I have defined port 80 in health_check, an https request is sent here and not an http request.

Aug 01 10:14:45 SIT-NLBP06.razor.k-sys.io caddy_custom[43523]: {"level":"info","ts":1722500085.501933,"logger":"http.handlers.reverse_proxy.health_checker.active","msg":"HTTP request failed","host":"SERVER01:80","error":"Get \"https://SERVER01:80/adfs/probe\": http: server gave HTTP response to HTTPS client"}
Aug 01 10:14:45 SIT-NLBP06.razor.k-sys.io caddy_custom[43523]: {"level":"info","ts":1722500085.5023623,"logger":"http.handlers.reverse_proxy.health_checker.active","msg":"HTTP request failed","host":"SERVER02:80","error":"Get \"https://SERVER02:80/adfs/probe\": http: server gave HTTP response to HTTPS client"}

Is there a way to configure this?

KlettIT avatar Aug 01 '24 08:08 KlettIT

I don't know if it's a good idea for a health check to use a different port, let alone a different protocol, than the actual requests. :thinking: It kind of defeats the purpose if what is being checked is totally different from what is being proxied.

mholt avatar Aug 05 '24 14:08 mholt

Yes, I understand your point of view and you're not wrong. But then it makes no sense that I can specify the port at all. My use-case is certainly a bit special here, but if that counts, in HAProxy you can specify the check port and protocol.

KlettIT avatar Aug 06 '24 06:08 KlettIT

We're currently trying to put ADFS behind Caddy - it works well so far, but active health checks aren't possible, since ADFS only allows to connect to the probing endpoint via http (don't ask me), so this might be relevant for some folks.

glatzert avatar Aug 13 '25 09:08 glatzert