Node balancer's health check is sending plain http to https?

In the Port config, I've set the protocol to HTTPS only.

Here's the log I've got from nginx.

2019/05/29 16:46:25 [info] 19904#19904: *2 client sent plain HTTP request to HTTPS port while reading client request headers, client: 192.168.255.36, server: default.example.com, request: "GET /health-check/ HTTP/1.1", host: "xxx.xxx.xxx.xxx"

4 Replies

HTTPS in the port configuration means that the NodeBalancer is terminating the SSL, and forwards the plain HTTP to the backend. Subsequently, the backend configuration should be pointing to a port expecting plain HTTP. (And thus your health check will work correctly.)

If I understand correctly I should setup so that
instead of

Client -> 443 Load Balancer -> 443 Server

I must listen on 80 for it to work?

Client -> 443 Load Balancer -> 80 Server

IMO the full chain should be in SSL tho.. this is not safe.

You're correct on the listen on 80 part. This is perfectly safe to do, if you consider the environment as a whole. No other Linode can sniff this traffic, thanks to rules enforced by the hosts that prevent Linodes from seeing traffic that isn't destined for them. And while it's true that Linode can sniff the traffic on the network, they can also dump the memory of your Linode and then decrypt encrypted traffic on the network. Ultimately you have to trust that Linode won't do this. (They won't, because why would they care?)

Although what you said might be correct. Unfortunately I have no power over this matter. So I'll just set the protocol to TCP and setup some 3rd party monitors and going my dandy way.

Thanks for your help!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct