2

I want to health check specific servers before adding them to a load balancer. The load balancer is just forwarding at the TCP level to the instances, the instances are handling the SSL handshake. The problem is I can't get the SSL handshake to work.

Currently trying the request using curl:

» curl "https://api.filestage.io/ping" --resolve "api.filestage.io:443:52.58.200.141" -v -I

* Added api.filestage.io:443:52.58.200.141 to DNS cache
* Hostname api.filestage.io was found in DNS cache
*   Trying 52.58.200.141...
* TCP_NODELAY set
* Connected to api.filestage.io (52.58.200.141) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.filestage.io:443 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.filestage.io:443

if I try the request against the load balancer (without the resolve flag) then I get a successful response:

» curl "https://api.filestage.io/ping" -v -I   

*   Trying 52.28.99.28...
* TCP_NODELAY set
* Connected to api.filestage.io (52.28.99.28) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL Wildcard; CN=*.filestage.io
*  start date: Sep  7 00:00:00 2016 GMT
*  expire date: Sep  7 23:59:59 2017 GMT
*  subjectAltName: host "api.filestage.io" matched cert's "*.filestage.io"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
> HEAD /ping HTTP/1.1
> Host: api.filestage.io
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: undefined
Access-Control-Allow-Origin: undefined
< Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
< Access-Control-Allow-Headers: Content-Type, Accept
Access-Control-Allow-Headers: Content-Type, Accept
< Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
Pragma: no-cache
< Expires: 0
Expires: 0
< X-DNS-Prefetch-Control: off
X-DNS-Prefetch-Control: off
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=15552000; includeSubDomains
Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Download-Options: noopen
X-Download-Options: noopen
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Content-Length: 6
Content-Length: 6
< ETag: W/"6-mjpCz9K3x3LxXfhnNpzLeg"
ETag: W/"6-mjpCz9K3x3LxXfhnNpzLeg"
< set-cookie: fstg_sid=s%3AUdiZR7MEERHtfRcNooV82ek-UrAL7XtG.sYHes4MGaaqLWdMZptF7LW%2FVplTrWkSCCZMMqOleUyY; Domain=.filestage.io; Path=/; Expires=Tue, 25 Jul 2017 10:57:42 GMT; HttpOnly; Secure
set-cookie: fstg_sid=s%3AUdiZR7MEERHtfRcNooV82ek-UrAL7XtG.sYHes4MGaaqLWdMZptF7LW%2FVplTrWkSCCZMMqOleUyY; Domain=.filestage.io; Path=/; Expires=Tue, 25 Jul 2017 10:57:42 GMT; HttpOnly; Secure
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Date: Tue, 18 Jul 2017 10:57:42 GMT
Date: Tue, 18 Jul 2017 10:57:42 GMT
< Connection: keep-alive
Connection: keep-alive

< 
* Connection #0 to host api.filestage.io left intact

The error I get isn't giving me any clues, any ideas how can I get more information about what is going wrong?

eliocs
  • 197
  • 1
  • 2
  • 9
  • 1
    do your backends support https? maybe add some detail on your setup? why doesn't the load balancer do health checks? what happens when the health checks fail days after added it to your LB? so many questions. – Jacob Evans Jul 18 '17 at 11:23
  • @JacobEvans yeah the backend supports https, the load balancer is only forwarding at the TCP level. The load balancer has very basic health checks I can't configure this more complicated health check. – eliocs Jul 18 '17 at 13:15

0 Answers0