NGINX-Plus HTTPS Health Checks on TCP Proxies

After being ready to bring the anycast load balancers online as a normal TLS terminating proxy, a last minute change got dropped on me. No TLS termination. Only proxy TCP connections.

The changes we need

Since we were moving to a TCP based Proxy, but we still needed to do a HTTPS based health check on the port. This isn’t that straight forward since we are crossing from a stream based proxy to what would normally be a http based proxy health check.

How we got a basic HTTPS health check with TCP Proxying

The easiest way is to to setup a secondary server on 127.0.0.1 with a random bind port for the listening. Then we can use proxy_ssl on; in that config, so it will do health checks with SSL/TLS handshakes.

stream {
    match https_check {
        send "GET /uri/to/check HTTP/1.1\r\nHost: localhost\r\n\r\n";
        expect ~* "HTTP/1.1 200";
    }
    upstream backend_servers {
        zone backend_servers 32k;
        server server1.local:443;
        server server2.local:443;
        server server3.local:443;
    }
    server {
        # This is the real Proxy for Clients
        listen 443;
        proxy_pass backend_servers;
        proxy_connect_timeout 2s;
    }
    server {
        # This is just for health checks
        listen 127.0.0.1:8443;
        proxy_pass backend_servers;
        proxy_ssl on;
        proxy_connect_timeout 2s;
        health_check match=https_check interval=10s passes=2 fails=1;
    }
}

By running a second server on the same upstream, we can tell nginx to make SSL connections outbound to the upstreams to test them and do basic send / expect matching on TCP connections.

Hope this helps someone else that is dropped into this weird position.

Back to Home