From aab3701fe3cb6396e1b444d456b3e1646917fb75 Mon Sep 17 00:00:00 2001 From: HansK-p <42314815+HansK-p@users.noreply.github.com> Date: Fri, 18 Sep 2020 13:07:05 +0200 Subject: [PATCH] Added support for https_sni in healthcheck.lua (#49) --- README.md | 1 + lib/resty/healthcheck.lua | 14 +++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 59127d96..e150a85e 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,7 @@ Versioning is strictly based on [Semantic Versioning](https://semver.org/) and `post_local` won't anymore call `poll` on a running worker automatically, for more information, see: https://github.com/Kong/lua-resty-worker-events#200-16-september-2020 +* feature: Added support for https_sni [#49](https://github.com/Kong/lua-resty-healthcheck/pull/49) * fix: properly log line numbers by using tail calls [#29](https://github.com/Kong/lua-resty-healthcheck/pull/29) * fix: when not providing a hostname, use IP [#48](https://github.com/Kong/lua-resty-healthcheck/pull/48) * fix: makefile; make install diff --git a/lib/resty/healthcheck.lua b/lib/resty/healthcheck.lua index ab530d98..1685edc9 100644 --- a/lib/resty/healthcheck.lua +++ b/lib/resty/healthcheck.lua @@ -829,20 +829,22 @@ function checker:run_single_check(ip, port, hostname, hostheader) end if self.checks.active.type == "https" then - local session, err + local https_sni, session, err + https_sni = self.checks.active.https_sni or hostheader or hostname if self.ssl_cert and self.ssl_key then session, err = sock:tlshandshake({ verify = self.checks.active.https_verify_certificate, client_cert = self.ssl_cert, - client_priv_key = self.ssl_key + client_priv_key = self.ssl_key, + server_name = https_sni }) else - session, err = sock:sslhandshake(nil, hostname, + session, err = sock:sslhandshake(nil, https_sni, self.checks.active.https_verify_certificate) end if not session then sock:close() - self:log(ERR, "failed SSL handshake with '", hostname or "", " (", ip, ":", port, ")': ", err) + self:log(ERR, "failed SSL handshake with '", hostname or "", " (", ip, ":", port, ")', using server name (sni) '", https_sni, "': ", err) return self:report_tcp_failure(ip, port, hostname, "connect", "active") end @@ -1218,6 +1220,7 @@ local defaults = { timeout = 1, concurrency = 10, http_path = "/", + https_sni = NO_DEFAULT, https_verify_certificate = true, healthy = { interval = 0, -- 0 = disabled by default @@ -1283,12 +1286,13 @@ end -- -- * `name`: name of the health checker -- * `shm_name`: the name of the `lua_shared_dict` specified in the Nginx configuration to use --- * `checks.active.type`: "http", "https" or "tcp" (default is "http") -- * `ssl_cert`: certificate for mTLS connections (string or parsed object) -- * `ssl_key`: key for mTLS connections (string or parsed object) +-- * `checks.active.type`: "http", "https" or "tcp" (default is "http") -- * `checks.active.timeout`: socket timeout for active checks (in seconds) -- * `checks.active.concurrency`: number of targets to check concurrently -- * `checks.active.http_path`: path to use in `GET` HTTP request to run on active checks +-- * `checks.active.https_sni`: SNI server name incase of HTTPS -- * `checks.active.https_verify_certificate`: boolean indicating whether to verify the HTTPS certificate -- * `checks.active.healthy.interval`: interval between checks for healthy targets (in seconds) -- * `checks.active.healthy.http_statuses`: which HTTP statuses to consider a success