SSL Health Monitors didn't actually ... check very much

Change HTTPS monitors to be a real check, and add TLS-HELLO type to perform the older check functionality if desired. The only reason you would need TLS-HELLO instead of HTTPS is if your application does client-cert validation, as the HAProxy box won't have a valid client cert. Also add missing PING type to the DB, so PING monitors can be used. Change-Id: I15a79b7fb0c2ff1020090b4057909a1f41a2c8ad
2017-06-20 15:26:11 -07:00 · 2017-06-20 15:26:11 -07:00 · 897214a4ff
commit 897214a4ff
parent 3ce659e9a5
12 changed files with 129 additions and 23 deletions
--- a/api-ref/source/parameters.yaml
+++ b/api-ref/source/parameters.yaml
@ -321,8 +321,8 @@ healthmonitor-timeout-optional:
  type: integer
 healthmonitor-type:
  description: |
-    The type of health monitor.  One of ``HTTP``, ``HTTPS``, ``PING``, or
-    ``TCP``.
+    The type of health monitor.  One of ``HTTP``, ``HTTPS``, ``PING``, ``TCP``,
+    or ``TLS-HELLO``.
  in: body
  required: true
  type: string
--- a/api-ref/source/v2/healthmonitor.inc
+++ b/api-ref/source/v2/healthmonitor.inc
@ -115,7 +115,7 @@ At a minimum, you must specify these health monitor attributes:
  times out.

 - ``type`` The type of health monitor. One of ``HTTP``, ``HTTPS``, ``PING``,
-  or ``TCP``.
+  ``TCP``, or ``TLS-HELLO``.

 Some attributes receive default values if you omit them from the request:

--- a/doc/source/api/octaviaapi.rst
+++ b/doc/source/api/octaviaapi.rst
@ -1097,7 +1097,7 @@ Health Monitors
 +================+=========+======================================+
 | type           | String  | Type of health monitoring from \     |
 |                |         | the following: ``PING``, ``TCP``, \  |
-|                |         | ``HTTP``, ``HTTPS``                  |
+|                |         | ``HTTP``, ``HTTPS``, ``TLS-HELLO``   |
 +----------------+---------+--------------------------------------+
 | delay          | Integer | Delay between health checks          |
 +----------------+---------+--------------------------------------+
--- a/doc/source/guides/basic-cookbook.rst
+++ b/doc/source/guides/basic-cookbook.rst
@ -602,7 +602,8 @@ generates the health check in your web application:

 Other heath monitors
 --------------------
-Other health monitor types include ``PING``, ``TCP`` and ``HTTPS``.
+Other health monitor types include ``PING``, ``TCP``, ``HTTPS``, and
+``TLS-HELLO``.

 ``PING`` health monitors send periodic ICMP PING requests to the back-end
 servers. Obviously, your back-end servers must be configured to allow PINGs in
@ -613,9 +614,14 @@ port. Your custom TCP application should be written to respond OK to the load
 balancer connecting, opening a TCP connection, and closing it again after the
 TCP handshake without sending any data.

-``HTTPS`` health monitors operate exactly like HTTP health monitors, except
-that they also ensure the back-end server responds to SSLv3 client hello
-messages.
+``HTTPS`` health monitors operate exactly like HTTP health monitors, but with
+ssl back-end servers. Unfortunately, this causes problems if the servers are
+performing client certificate validation, as HAProxy won't have a valid cert.
+In this case, using ``TLS-HELLO`` type monitoring is an alternative.
+
+``TLS-HELLO`` health monitors simply ensure the back-end server responds to
+SSLv3 client hello messages. It will not check any other health metrics, like
+status code or body contents.


 Intermediate certificate chains
--- a/octavia/api/v2/controllers/health_monitor.py
+++ b/octavia/api/v2/controllers/health_monitor.py
@ -183,6 +183,10 @@ class HealthMonitorController(base.BaseController):
                lock_session, health_monitor)
            db_hm = self._validate_create_hm(lock_session, hm_dict)
            lock_session.commit()
+        except odb_exceptions.DBError:
+            lock_session.rollback()
+            raise exceptions.InvalidOption(
+                value=hm_dict.get('type'), option='type')
        except Exception:
            with excutils.save_and_reraise_exception():
                lock_session.rollback()
--- a/octavia/common/constants.py
+++ b/octavia/common/constants.py
@ -30,8 +30,10 @@ HEALTH_MONITOR_PING = 'PING'
 HEALTH_MONITOR_TCP = 'TCP'
 HEALTH_MONITOR_HTTP = 'HTTP'
 HEALTH_MONITOR_HTTPS = 'HTTPS'
+HEALTH_MONITOR_TLS_HELLO = 'TLS-HELLO'
 SUPPORTED_HEALTH_MONITOR_TYPES = (HEALTH_MONITOR_HTTP, HEALTH_MONITOR_HTTPS,
-                                  HEALTH_MONITOR_PING, HEALTH_MONITOR_TCP)
+                                  HEALTH_MONITOR_PING, HEALTH_MONITOR_TCP,
+                                  HEALTH_MONITOR_TLS_HELLO)
 HEALTH_MONITOR_HTTP_METHOD_GET = 'GET'
 HEALTH_MONITOR_HTTP_METHOD_HEAD = 'HEAD'
 HEALTH_MONITOR_HTTP_METHOD_POST = 'POST'
--- a/octavia/common/jinja/haproxy/templates/macros.j2
+++ b/octavia/common/jinja/haproxy/templates/macros.j2
@ -151,8 +151,14 @@ frontend {{ listener.id }}
        {% else %}
            {% set monitor_port_opt = "" %}
        {% endif %}
-        {% set hm_opt = " check inter %ds fall %d rise %d%s%s"|format(
-            pool.health_monitor.delay, pool.health_monitor.fall_threshold,
+        {% if pool.health_monitor.type == constants.HEALTH_MONITOR_HTTPS %}
+            {% set monitor_ssl_opt = " check-ssl verify none" %}
+        {% else %}
+            {% set monitor_ssl_opt = "" %}
+        {% endif %}
+        {% set hm_opt = " check%s inter %ds fall %d rise %d%s%s"|format(
+            monitor_ssl_opt, pool.health_monitor.delay,
+            pool.health_monitor.fall_threshold,
            pool.health_monitor.rise_threshold, monitor_addr_opt,
            monitor_port_opt) %}
    {% else %}
@ -218,7 +224,7 @@ backend {{ pool.id }}
    pool.health_monitor.url_path }}
    http-check expect rstatus {{ pool.health_monitor.expected_codes }}
        {% endif %}
-        {% if pool.health_monitor.type == constants.HEALTH_MONITOR_HTTPS %}
+        {% if pool.health_monitor.type == constants.HEALTH_MONITOR_TLS_HELLO %}
    option ssl-hello-chk
        {% endif %}
    {% endif %}
--- a/octavia/db/migration/alembic_migrations/versions/e6672bda93bf_add_ping_and_tlshello_monitor_types.py
+++ b/octavia/db/migration/alembic_migrations/versions/e6672bda93bf_add_ping_and_tlshello_monitor_types.py
@ -0,0 +1,45 @@
+#    Copyright 2017 GoDaddy
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""add ping and tls-hello monitor types
+
+Revision ID: e6672bda93bf
+Revises: 27e54d00c3cd
+Create Date: 2017-06-21 16:13:09.615651
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy import sql
+
+# revision identifiers, used by Alembic.
+revision = 'e6672bda93bf'
+down_revision = '27e54d00c3cd'
+
+
+def upgrade():
+    insert_table = sql.table(
+        u'health_monitor_type',
+        sql.column(u'name', sa.String),
+        sql.column(u'description', sa.String)
+    )
+
+    op.bulk_insert(
+        insert_table,
+        [
+            {'name': 'PING'},
+            {'name': 'TLS-HELLO'}
+        ]
+    )
--- a/octavia/tests/functional/api/v2/test_health_monitor.py
+++ b/octavia/tests/functional/api/v2/test_health_monitor.py
@ -196,7 +196,7 @@ class TestHealthMonitor(base.BaseAPITest):
            1, 1, 1, 1).get(self.root_tag)
        self.set_lb_status(lb1_id)
        hm3 = self.create_health_monitor(
-            pool3.get('id'), constants.HEALTH_MONITOR_TCP,
+            pool3.get('id'), constants.HEALTH_MONITOR_TLS_HELLO,
            1, 1, 1, 1).get(self.root_tag)
        self.set_lb_status(lb1_id)
        hms = self.get(self.HMS_PATH).json.get(self.root_tag_list)
--- a/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py
+++ b/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py
@ -150,7 +150,7 @@ class TestHaproxyCfg(base.TestCase):
            sample_configs.sample_base_expected_config(backend=be),
            rendered_obj)

-    def test_render_template_https(self):
+    def test_render_template_https_real_monitor(self):
        fe = ("frontend sample_listener_id_1\n"
              "    option tcplog\n"
              "    maxconn 98\n"
@ -164,6 +164,31 @@ class TestHaproxyCfg(base.TestCase):
              "    timeout check 31s\n"
              "    option httpchk GET /index.html\n"
              "    http-check expect rstatus 418\n"
+              "    fullconn 98\n"
+              "    server sample_member_id_1 10.0.0.99:82 "
+              "weight 13 check check-ssl verify none inter 30s fall 3 rise 2 "
+              "cookie sample_member_id_1\n"
+              "    server sample_member_id_2 10.0.0.98:82 "
+              "weight 13 check check-ssl verify none inter 30s fall 3 rise 2 "
+              "cookie sample_member_id_2\n\n")
+        rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
+            sample_configs.sample_amphora_tuple(),
+            sample_configs.sample_listener_tuple(proto='HTTPS'))
+        self.assertEqual(sample_configs.sample_base_expected_config(
+            frontend=fe, backend=be), rendered_obj)
+
+    def test_render_template_https_hello_monitor(self):
+        fe = ("frontend sample_listener_id_1\n"
+              "    option tcplog\n"
+              "    maxconn 98\n"
+              "    bind 10.0.0.2:443\n"
+              "    mode tcp\n"
+              "    default_backend sample_pool_id_1\n\n")
+        be = ("backend sample_pool_id_1\n"
+              "    mode tcp\n"
+              "    balance roundrobin\n"
+              "    cookie SRV insert indirect nocache\n"
+              "    timeout check 31s\n"
              "    option ssl-hello-chk\n"
              "    fullconn 98\n"
              "    server sample_member_id_1 10.0.0.99:82 "
@ -174,7 +199,8 @@ class TestHaproxyCfg(base.TestCase):
              "cookie sample_member_id_2\n\n")
        rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
            sample_configs.sample_amphora_tuple(),
-            sample_configs.sample_listener_tuple(proto='HTTPS'))
+            sample_configs.sample_listener_tuple(
+                proto='HTTPS', monitor_proto='TLS-HELLO'))
        self.assertEqual(sample_configs.sample_base_expected_config(
            frontend=fe, backend=be), rendered_obj)

--- a/octavia/tests/unit/common/sample_configs/sample_configs.py
+++ b/octavia/tests/unit/common/sample_configs/sample_configs.py
@ -405,7 +405,8 @@ def sample_listener_tuple(proto=None, monitor=True, persistence=True,
                          persistence_type=None, persistence_cookie=None,
                          tls=False, sni=False, peer_port=None, topology=None,
                          l7=False, enabled=True, insert_headers=None,
-                          be_proto=None, monitor_ip_port=False):
+                          be_proto=None, monitor_ip_port=False,
+                          monitor_proto=None):
    proto = 'HTTP' if proto is None else proto
    if be_proto is None:
        be_proto = 'HTTP' if proto is 'TERMINATED_HTTPS' else proto
@ -425,12 +426,12 @@ def sample_listener_tuple(proto=None, monitor=True, persistence=True,
                proto=be_proto, monitor=monitor, persistence=persistence,
                persistence_type=persistence_type,
                persistence_cookie=persistence_cookie,
-                monitor_ip_port=monitor_ip_port),
+                monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto),
            sample_pool_tuple(
                proto=be_proto, monitor=monitor, persistence=persistence,
                persistence_type=persistence_type,
                persistence_cookie=persistence_cookie, sample_pool=2,
-                monitor_ip_port=monitor_ip_port)]
+                monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto)]
        l7policies = [
            sample_l7policy_tuple('sample_l7policy_id_1', sample_policy=1),
            sample_l7policy_tuple('sample_l7policy_id_2', sample_policy=2),
@ -444,7 +445,7 @@ def sample_listener_tuple(proto=None, monitor=True, persistence=True,
                proto=be_proto, monitor=monitor, persistence=persistence,
                persistence_type=persistence_type,
                persistence_cookie=persistence_cookie,
-                monitor_ip_port=monitor_ip_port)]
+                monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto)]
        l7policies = []
    return in_listener(
        id='sample_listener_id_1',
@ -458,7 +459,7 @@ def sample_listener_tuple(proto=None, monitor=True, persistence=True,
            proto=be_proto, monitor=monitor, persistence=persistence,
            persistence_type=persistence_type,
            persistence_cookie=persistence_cookie,
-            monitor_ip_port=monitor_ip_port),
+            monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto),
        connection_limit=98,
        tls_certificate_id='cont_id_1' if tls else '',
        sni_container_ids=['cont_id_2', 'cont_id_3'] if sni else [],
@ -515,8 +516,10 @@ def sample_tls_container_tuple(id='cont_id_1', certificate=None,

 def sample_pool_tuple(proto=None, monitor=True, persistence=True,
                      persistence_type=None, persistence_cookie=None,
-                      sample_pool=1, monitor_ip_port=False):
+                      sample_pool=1, monitor_ip_port=False,
+                      monitor_proto=None):
    proto = 'HTTP' if proto is None else proto
+    monitor_proto = proto if monitor_proto is None else monitor_proto
    in_pool = collections.namedtuple(
        'pool', 'id, protocol, lb_algorithm, members, health_monitor,'
                'session_persistence, enabled, operating_status')
@ -531,13 +534,13 @@ def sample_pool_tuple(proto=None, monitor=True, persistence=True,
                   sample_member_tuple('sample_member_id_2', '10.0.0.98',
                                       monitor_ip_port=monitor_ip_port)]
        if monitor is True:
-            mon = sample_health_monitor_tuple(proto=proto)
+            mon = sample_health_monitor_tuple(proto=monitor_proto)
    elif sample_pool == 2:
        id = 'sample_pool_id_2'
        members = [sample_member_tuple('sample_member_id_3', '10.0.0.97',
                                       monitor_ip_port=monitor_ip_port)]
        if monitor is True:
-            mon = sample_health_monitor_tuple(proto=proto, sample_hm=2)
+            mon = sample_health_monitor_tuple(proto=monitor_proto, sample_hm=2)
    return in_pool(
        id=id,
        protocol=proto,
--- a/releasenotes/notes/Change-HTTPS-HealthMonitor-functionality-79240ef13e65cd88.yaml
+++ b/releasenotes/notes/Change-HTTPS-HealthMonitor-functionality-79240ef13e65cd88.yaml
@ -0,0 +1,14 @@
+---
+features:
+  - |
+    New Health Monitor type "TLS-HELLO" to perform a simple TLS connection.
+upgrade:
+  - |
+    If users have configured Health Monitors of type "HTTPS" and are expecting
+    a simple "TLS-HELLO" check, they will need to recreate their monitor with
+    the new "TLS-HELLO" type.
+fixes:
+  - |
+    Health Monitor type "HTTPS" now correctly performs the configured check.
+    This is done with all certificate validation disabled, so it will not work
+    if backend members are performing client certificate validation.