HAproxy health checks with authentication


#1

Hi,
I’m trying to have HAproxy to monitor RabbitMQ’s built-in health check module.
Though I am able to http-check my RabbitMQ web portal and look for a string in the login page, I can’t seem to perform basic authentication (then look for a string with the node status).
I am able to successfully authenticate to the RabbitMQ health page by using curl like so:
curl https://user:password@rabbitmq01:15671/api/aliveness-test/%2F

The relevant part of my Config:


Backend:

option httpchk get /api/aliveness-test/%2F HTTP/1.1\r\nAuthorization:\ Basic\ user:password
http-check expect rstring .ok.
default-server inter 1000 fall 2 rise 2
server RabbitMQ01 10.10.10.10:5671 check port 15671 ssl verify none

You’r help is very much appreciated :slightly_smiling:


#2

Hi,

Your Authentication header is improperly sent.

Please run

curl -v https://user:password@rabbitmq01:15671/api/aliveness-test/%2F

and simply re-use the authentication header as built by curl.
With user:password string, it would be:

option httpchk get /api/aliveness-test/%2F HTTP/1.1\r\nAuthorization:\ Basic\ dXNlcjpwYXNzd29yZA==

Haproxy backend server error handling
#3

Hi Baptiste,
Thank you for your quick reply!
I’ve ran curl in verbose and took the hashed password from the output and in to my haproxy configuration file.
Unfortunately, I’m still having the same problem.
I’ve changed the string I’m expecting from ok to fail (to see maybe it’s an authentication issue) but in the haproxy logs I still see that “HTTP content did not match”.

In addition, the RabbitMQ management portal is SSL so I guess I need to pass the url as well some how. If this is the right direction, can you please advise?


#4

HAProxy turns automatically the check as SSL if the traffic to the server is ciphered.

Maybe you should check first the HTTP status code, to see if you get a 200 or a 401.