Host header ignored for SSL check

Comments (3)

1. 

   Tildeslash repo owner

   Monit supports SNI for virtual SSL hosts, but takes the "host" value for it, not the HTTP header. The HTTP header is also set automatically, so the configuration can be simplified:

   if failed host example.com
     port 443
     protocol https
     request "/ping"
     content == "pong"
     timeout 10 seconds
     for 1 cycles then restart
   

   Please can you check if it works for you?

   • 2017-09-08T10:40:08+00:00
2. 

   Danila Vershinin reporter

   I understand this and it certainly works. However, in my use case the /ping endpoint is only exposed to localhost. Checking it via suggested config will either require:

   • hosts file entry for example.com to point to 127.0.0.1 (a bit wrong for quite a few reasons)
   • opening the /ping endpoint to external interface (own IP)

   I'd like to avoid those and instead have the Monit request flow through localhost interface. I think it makes sense for the host in with http headers passed in configuration to take priority.

   • 2017-09-08T10:47:43+00:00
3. 

   Sergey Budnevitch

   I have similar issue, but for dns load-balanced servers. It is not possible to specify both SNI hostname and what server to check.

   For example example.com resolves to 192.168.10.2 and 192.168.20.2.

   if failed host example.com
     port 443
     protocol https
   

   will check both ip addresses, but I need to check example.com on both ip addresses individually, and

   if failed host 192.168.10.2
     port 443
     protocol https
   

   will not use SNI.

   Current workaround is /etc/hosts, but this is not a solution.

   • 2018-02-02T16:04:04+00:00
4. Log in to comment