Skip to content

Commit 9ce5f6d

Browse files
HansK-pbungle
HansK-p
authored and
bungle
committed
Added support for https_sni in healthcheck.lua (#49)
1 parent eb48bff commit 9ce5f6d

File tree

1 file changed

+9
-5
lines changed

1 file changed

+9
-5
lines changed

lib/resty/healthcheck.lua

+9-5
Original file line numberDiff line numberDiff line change
@@ -1015,20 +1015,22 @@ function checker:run_single_check(ip, port, hostname, hostheader)
10151015
end
10161016

10171017
if self.checks.active.type == "https" then
1018-
local session
1018+
local https_sni, session, err
1019+
https_sni = self.checks.active.https_sni or hostheader or hostname
10191020
if self.ssl_cert and self.ssl_key then
10201021
session, err = sock:tlshandshake({
10211022
verify = self.checks.active.https_verify_certificate,
10221023
client_cert = self.ssl_cert,
1023-
client_priv_key = self.ssl_key
1024+
client_priv_key = self.ssl_key,
1025+
server_name = https_sni
10241026
})
10251027
else
1026-
session, err = sock:sslhandshake(nil, hostname,
1028+
session, err = sock:sslhandshake(nil, https_sni,
10271029
self.checks.active.https_verify_certificate)
10281030
end
10291031
if not session then
10301032
sock:close()
1031-
self:log(ERR, "failed SSL handshake with '", hostname, " (", ip, ":", port, ")': ", err)
1033+
self:log(ERR, "failed SSL handshake with '", hostname or "", " (", ip, ":", port, ")', using server name (sni) '", https_sni, "': ", err)
10321034
return self:report_tcp_failure(ip, port, hostname, "connect", "active")
10331035
end
10341036

@@ -1436,6 +1438,7 @@ local defaults = {
14361438
timeout = 1,
14371439
concurrency = 10,
14381440
http_path = "/",
1441+
https_sni = NO_DEFAULT,
14391442
https_verify_certificate = true,
14401443
headers = {""},
14411444
healthy = {
@@ -1502,12 +1505,13 @@ end
15021505
--
15031506
-- * `name`: name of the health checker
15041507
-- * `shm_name`: the name of the `lua_shared_dict` specified in the Nginx configuration to use
1505-
-- * `checks.active.type`: "http", "https" or "tcp" (default is "http")
15061508
-- * `ssl_cert`: certificate for mTLS connections (string or parsed object)
15071509
-- * `ssl_key`: key for mTLS connections (string or parsed object)
1510+
-- * `checks.active.type`: "http", "https" or "tcp" (default is "http")
15081511
-- * `checks.active.timeout`: socket timeout for active checks (in seconds)
15091512
-- * `checks.active.concurrency`: number of targets to check concurrently
15101513
-- * `checks.active.http_path`: path to use in `GET` HTTP request to run on active checks
1514+
-- * `checks.active.https_sni`: SNI server name incase of HTTPS
15111515
-- * `checks.active.https_verify_certificate`: boolean indicating whether to verify the HTTPS certificate
15121516
-- * `checks.active.headers`: one or more lists of values indexed by header name
15131517
-- * `checks.active.healthy.interval`: interval between checks for healthy targets (in seconds)

0 commit comments

Comments
 (0)