HTTPS Health Monitor

Introduction

The HTTPS monitor type can be used to validate the health of HTTPS encrypted web servers. Use this monitor when Avi Vantage is either passing SSL encrypted traffic directly from clients to servers, or Avi Vantage is providing SSL encryption between itself and the servers. This article covers the configuration specific for HTTPS monitor.

Creating an HTTPS Health Monitor

To create an HTTPS monitor,

  1. From the NSX Advanced Load Balancer UI, navigate to Templates > Profiles > Health Monitors.

  2. Click on Create to open the CREATE HEALTH MONITOR screen.

  3. Under the General tab, enter the basic information about the health monitor. Note: Select HTTPS to view the HTTPS settings.

  4. Configure the HTTPSsettings.

  5. Configure the Server Maintenance Mode settings.

  6. Configure Role-Based Access Control (RBAC).

  7. Click Save to complete the HTTPS health monitor creation.

Configuring General Settings

Under the General tab of the CREATE HEALTH MONITOR screen, configure the following:

  1. Enter a unique Name for the monitor.

  2. Enter a Description.

  3. Select HTTPS as the Type of Health Monitor.
    Note: Once the Type of Monitor is selected, options specific to the health monitor type are displayed.

  4. Select the option Is Federated? to replicate the object across the federation. When this option is not selected, the object is visible within the Controller-cluster and its associated SEs.This option is enabled only when GSLB is activated. A federated health monitor is used for GSLB purposes while it is not applicable for a regular health-monitor. A GSLB service cannot be associated with a regular health monitor, because GSLB service is a federated object, while the health monitor is not. Conversely, a pool cannot be associated with a federated health monitor because the pool is not a federated object.

  5. Enter the Send Interval value (in seconds). This value determines how frequently the health monitor initiates an active check of a server. The frequency range is 1 to 3600.

  6. Enter the Receive Timeout value (in seconds). The server must return a valid response to the health monitor within the specified time limit. The receive timeout range is 1 to 2400 or the send interval value minus 1 second.
    Note: If the status of a server continually flips between up and down, this may indicate that the receive timeout is too aggressive for the server.

  7. Enter Successful Checks. This is the number of consecutive health checks that must succeed before NSX Advanced Load Balancer marks a down server as up. The minimum is 1, and the maximum is 50.

  8. Enter Failed Checks. This is the number of consecutive health checks that on failing, NSX Advanced Load Balancer marks a server as down. The minimum is 1, and the maximum is 50.
    https-monitor

Configuring HTTPS Settings

Under the HTTPS tab, configure the following:

  1. Specify a Health Monitor Port to be used for the health check. Clients are directed to the port of the server defined in the pool. For instance, a server at HTTP port 80 has two health monitors attached, one for HTTP default port, and a second for HTTPS specifically on port 443. If both health monitors pass, the server can receive traffic on HTTP port 80. This ensures clients can input items in their shopping cart and later purchase those items over SSL on 443. If the field is blank, the default port configured for the server is used.

  2. Select the Authentication Type.

  3. Enter the Username and Password for server authentication.

  4. Use the section Client Request Header, and Client Request Body to send an HTTP request to the web server. NSX Advanced Load Balancer does not validate the request, as different servers may support unique request syntax:
    • Method: Any method may be used, though GET, POST and HEAD are the most common for monitoring. If no method is defined, NSX Advanced Load Balancer will use GET.
      • GET /index.htm
      • POST /upload.asp HTTP/1.0\r\nHost: www.site.com\r\nContent-Length: 10\r\nABCDE12345
    • Path: The path may include the URI and query, such as /index.htm?user=test. If no path is specified, / will be used.
  5. Select Use Exact Request to use the exact http_request string as specified by the user. This will avoid automatic insertion of headers like host header.

  6. Under Server Response Data enter the match for a keyword in the first 2kb of the server header and body response.

  7. In the Response Code field, enter HTTPS response codes for a successful match. A successful HTTPS monitor requires either the response code, the server response data, or both fields to be populated. The response code expects the server to return a response code within the specified range. For a GET request, a server should usually return a 200, 301 or 302. For a HEAD request, the server will typically return a 304. A response code by itself does not validate the server’s response content, just the status.

  8. Click Enable SSL Attributes to allow SSL encrypted traffic to pass to servers without decrypting in the load balancer (the SE). Configure teh following:
    1. In the TLS SNI Server Name field, enter a fully qualified DNS hostname to include SSL host header extension during TLS handshakes. If no value is specified, the value from the pool will be inherited from the pool.
    2. Select an existing SSL Profile or create a new one, as required. This defines the ciphers and SSL versions to be used for the health monitor traffic to the backend servers.
    3. Select an existing PKI Profile or create a new one, as required. This will be used as to validate the SSL certificate presented by the server.
    4. Select an existing SSL Key and Certificate or create a new one, as required.

      https-monitor

Configuring Server Maintenance Mode

Under the Server Maintenance Mode tab, configure the following:

  1. If the Maintenance Response Code is seen in the server response, it indicates that the server is placed in maintenance mode. A successful match marks the server down. Enter multiple response codes separated by commas.
  2. Enter Maintenance Server Response Data which when found in the server response, indicates that the server is placed in maintenance mode. A successful match marks the server down. https-monitor

Configuring RBAC

  1. Under the Role-Based Access Control (RBAC) section, configure labels to control access to the health monitor based on the defined roles:
    1. Click Add.
    2. Enter the Key and the corresponding values. https-monitor

See granular-rbac for more information.

Example Health Check

Sample HTTPS health check send string:

GET /health/local HTTP/1.0
User-Agent: avi/1.0
Host: 10.10.10.3
Accept: */*

Sample server response:

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/plain
Content-Length: 15
Date: Fri, 20 May 2016 18:23:05 GMT
Connection: close

Health Check Ok

The server response includes both the response code: 200, and the Server Response Data: Health Check ok. Therefore, this server will be marked up. Notice that NSX Advanced Load Balancer automatically includes additional headers in the send string, including User-Agent, Host, and Accept to ensure the server receives a fully formed request.

SSL Attributes in HTTPS Health Monitor

Behavior Change

The SSL settings on health monitor are always considered if provided. If SSL settings for the health monitor are not provided, the health monitor falls back to using pool SSL settings. An HTTPS health monitor needs SSL settings on either the health monitor config itself or in the pool config. If is absent in both, Avi Vantage reports an error.

Upgrade Impact

Upgrade happens smoothly and needs no manual configuration. Upgrading from releases prior to 17.1 causes the HTTPS health monitor to use pool SSL settings. If a new SSL config is added to the health monitor, it will be placed into effect.

Configuring POST Method

Starting with Avi Vantage version 20.1.1, you can configure POST method.

The following is the configuration example:


[admin:ctrl2]: > configure healthmonitor HTTPS-HM-POST
[admin:ctrl2]: healthmonitor> type health_monitor_https
[admin:ctrl2]: healthmonitor> https_monitor
[admin:ctrl2]: healthmonitor:https_monitor> http_request "POST /echo_post_header_body HTTP/1.0"
[admin:ctrl2]: healthmonitor:https_monitor> http_request_body "This is a test for HTTP POST method"
[admin:ctrl2]: healthmonitor:https_monitor> http_response "test for HTTP"
[admin:ctrl2]: healthmonitor:https_monitor> http_response_code http_2xx
[admin:ctrl2]: healthmonitor:https_monitor> save
[admin:ctrl2]: healthmonitor> save

Note: When exact_request is configured, http_request_body will be appended to the end of http_request.

For further details on authenticating health monitors refer to Authenticating HTTP/HTTPS Health Monitor user guide.

The HTTPS health monitor may only be applied to a pool whose virtual service has an HTTP application profile attached. Health monitoring of HTTPS is covered in the SSL Attributes in HTTPS Health Monitor section at the end of this article.