aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorFrancis Lavoie <[email protected]>2023-06-22 18:20:30 -0400
committerGitHub <[email protected]>2023-06-22 16:20:30 -0600
commit7a69ae757197660d26095045fba385c613926d77 (patch)
treea19fcb2c299bdb680bfacc6ef27231c714cff1d4
parent2b2addebb8cc5dfc7d4d1d34c82f3c46159fea12 (diff)
downloadcaddy-7a69ae757197660d26095045fba385c613926d77.tar.gz
caddy-7a69ae757197660d26095045fba385c613926d77.zip
reverseproxy: Honor `tls_except_port` for active health checks (#5591)
-rw-r--r--modules/caddyhttp/reverseproxy/healthchecks.go41
1 files changed, 25 insertions, 16 deletions
diff --git a/modules/caddyhttp/reverseproxy/healthchecks.go b/modules/caddyhttp/reverseproxy/healthchecks.go
index c969c8c1b..80b635adc 100644
--- a/modules/caddyhttp/reverseproxy/healthchecks.go
+++ b/modules/caddyhttp/reverseproxy/healthchecks.go
@@ -306,16 +306,35 @@ func (h *Handler) doActiveHealthCheckForAllHosts() {
// the host's health status fails.
func (h *Handler) doActiveHealthCheck(dialInfo DialInfo, hostAddr string, upstream *Upstream) error {
// create the URL for the request that acts as a health check
- scheme := "http"
- if ht, ok := h.Transport.(TLSTransport); ok && ht.TLSEnabled() {
- // this is kind of a hacky way to know if we should use HTTPS, but whatever
- scheme = "https"
- }
u := &url.URL{
- Scheme: scheme,
+ Scheme: "http",
Host: hostAddr,
}
+ // split the host and port if possible, override the port if configured
+ host, port, err := net.SplitHostPort(hostAddr)
+ if err != nil {
+ host = hostAddr
+ }
+ if h.HealthChecks.Active.Port != 0 {
+ port := strconv.Itoa(h.HealthChecks.Active.Port)
+ u.Host = net.JoinHostPort(host, port)
+ }
+
+ // this is kind of a hacky way to know if we should use HTTPS, but whatever
+ if tt, ok := h.Transport.(TLSTransport); ok && tt.TLSEnabled() {
+ u.Scheme = "https"
+
+ // if the port is in the except list, flip back to HTTP
+ if ht, ok := h.Transport.(*HTTPTransport); ok {
+ for _, exceptPort := range ht.TLS.ExceptPorts {
+ if exceptPort == port {
+ u.Scheme = "http"
+ }
+ }
+ }
+ }
+
// if we have a provisioned uri, use that, otherwise use
// the deprecated Path option
if h.HealthChecks.Active.uri != nil {
@@ -325,16 +344,6 @@ func (h *Handler) doActiveHealthCheck(dialInfo DialInfo, hostAddr string, upstre
u.Path = h.HealthChecks.Active.Path
}
- // adjust the port, if configured to be different
- if h.HealthChecks.Active.Port != 0 {
- portStr := strconv.Itoa(h.HealthChecks.Active.Port)
- host, _, err := net.SplitHostPort(hostAddr)
- if err != nil {
- host = hostAddr
- }
- u.Host = net.JoinHostPort(host, portStr)
- }
-
// attach dialing information to this request, as well as context values that
// may be expected by handlers of this request
ctx := h.ctx.Context