From c5c0143013e2e87c26703e0717c4269a2f93236f Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 1 Sep 2025 10:56:08 -0700 Subject: [PATCH] Allow health check to http self signed by default Fixes #122 --- healthcheck/healthcheck.go | 35 ++++++++++++++++++++++++++--------- main.go | 10 +++++++--- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/healthcheck/healthcheck.go b/healthcheck/healthcheck.go index 523d34e..9cce0f9 100644 --- a/healthcheck/healthcheck.go +++ b/healthcheck/healthcheck.go @@ -2,6 +2,7 @@ package healthcheck import ( "context" + "crypto/tls" "encoding/json" "fmt" "net/http" @@ -66,20 +67,31 @@ type StatusChangeCallback func(targets map[int]*Target) // Monitor manages health check targets and their monitoring type Monitor struct { - targets map[int]*Target - mutex sync.RWMutex - callback StatusChangeCallback - client *http.Client + targets map[int]*Target + mutex sync.RWMutex + callback StatusChangeCallback + client *http.Client + enforceCert bool } // NewMonitor creates a new health check monitor -func NewMonitor(callback StatusChangeCallback) *Monitor { - logger.Info("Creating new health check monitor") +func NewMonitor(callback StatusChangeCallback, enforceCert bool) *Monitor { + logger.Info("Creating new health check monitor with certificate enforcement: %t", enforceCert) + + // Configure TLS settings based on certificate enforcement + transport := &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: !enforceCert, + }, + } + return &Monitor{ - targets: make(map[int]*Target), - callback: callback, + targets: make(map[int]*Target), + callback: callback, + enforceCert: enforceCert, client: &http.Client{ - Timeout: 30 * time.Second, + Timeout: 30 * time.Second, + Transport: transport, }, } } @@ -367,6 +379,11 @@ func (m *Monitor) performHealthCheck(target *Target) { logger.Debug("Target %d: performing health check %d to %s", target.Config.ID, target.CheckCount, url) + if target.Config.Scheme == "https" { + logger.Debug("Target %d: HTTPS health check with certificate enforcement: %t", + target.Config.ID, m.enforceCert) + } + // Create request ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second) defer cancel() diff --git a/main.go b/main.go index 8c8cd6f..5816129 100644 --- a/main.go +++ b/main.go @@ -114,6 +114,7 @@ var ( authorizedKeysFile string preferEndpoint string healthMonitor *healthcheck.Monitor + enforceHealthcheckCert bool // New mTLS configuration variables tlsClientCert string @@ -138,10 +139,12 @@ func main() { keepInterfaceEnv := os.Getenv("KEEP_INTERFACE") acceptClientsEnv := os.Getenv("ACCEPT_CLIENTS") useNativeInterfaceEnv := os.Getenv("USE_NATIVE_INTERFACE") + enforceHealthcheckCertEnv := os.Getenv("ENFORCE_HC_CERT") keepInterface = keepInterfaceEnv == "true" acceptClients = acceptClientsEnv == "true" useNativeInterface = useNativeInterfaceEnv == "true" + enforceHealthcheckCert = enforceHealthcheckCertEnv == "true" dockerSocket = os.Getenv("DOCKER_SOCKET") pingIntervalStr := os.Getenv("PING_INTERVAL") @@ -206,8 +209,8 @@ func main() { if acceptClientsEnv == "" { flag.BoolVar(&acceptClients, "accept-clients", false, "Accept clients on the WireGuard interface") } - if tlsPrivateKey == "" { - flag.StringVar(&tlsPrivateKey, "tls-client-cert", "", "Path to client certificate used for mTLS") + if enforceHealthcheckCertEnv == "" { + flag.BoolVar(&enforceHealthcheckCert, "enforce-hc-cert", false, "Enforce certificate validation for health checks (default: false, accepts any cert)") } if dockerSocket == "" { flag.StringVar(&dockerSocket, "docker-socket", "", "Path or address to Docker socket (typically unix:///var/run/docker.sock)") @@ -364,6 +367,7 @@ func main() { logger.Debug("Endpoint: %v", endpoint) logger.Debug("Log Level: %v", logLevel) logger.Debug("Docker Network Validation Enabled: %v", dockerEnforceNetworkValidationBool) + logger.Debug("Health Check Certificate Enforcement: %v", enforceHealthcheckCert) // Add new TLS debug logging if tlsClientCert != "" { @@ -429,7 +433,7 @@ func main() { if err != nil { logger.Error("Failed to send health check status update: %v", err) } - }) + }, enforceHealthcheckCert) var pingWithRetryStopChan chan struct{}