Reputation: 40333
How do I test an specific load balancer instance over HTTPS?
I have a collection of Nginx services working as load balancers for a single address, let's say www.example.com. I would like to have a test suite that targets each of these machines in isolation, not going through the DNS load balancing, as in going straight to the address.
When I try to do something like that in curl I get:
$ curl -H "Host: www.example.com" -v https://10.10.10.10/
* Trying 10.10.10.10...
* Connected to 10.10.10.10 (10.10.10.10) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* SSL: certificate subject name (www.example.com) does not match target host name '10.10.10.10'
* Closing connection 0
curl: (51) SSL: certificate subject name (www.example.com) does not match target host name '10.10.10.10'
I know 10.10.10.10 is not the same name, but I'd like to instruct the tool to believe it is (because I know it is, these are all load balancers serving the same domain).
Is there any way to do that that won't involve dealing with DNS resolution?
Upvotes: 2
Views: 10629
Answers (1)
Reputation: 446
The problem you're having is because the Host header you are setting is being sent to the server, but is not being used by curl for SSL verification.
You can see this in the curl output, notice the "Connected to 10.10.10.10":
$ curl -H "Host: www.example.com" -v https://10.10.10.10/
* Trying 10.10.10.10...
* Connected to 10.10.10.10 (10.10.10.10) port 443 (#0)
You are likely looking for the --resolve flag:
--resolve
<host:port:address>Provide a custom address for a specific host and port pair. Using this, you can make the curl requests(s) use a specified address and prevent the otherwise normally resolved address to be used. Consider it a sort of /etc/hosts alternative provided on the command line.
See: curl man page
With this in mind, you probably want to try:
curl -v --resolve www.example.com:443:10.10.10.10 https://www.example.com
Which should make it evident in the output that curl is now using the hostname, thus, allowing the validation of the certificate subject name:
$ curl -v --resolve www.example.com:443:10.10.10.10 https://www.example.com
* Added www.example.com:443:10.10.10.10 to DNS cache
* About to connect() to www.example.com port 443 (#0)
* Trying 10.10.10.10...
* Connected to www.example.com (10.10.10.10) port 443 (#0)
Upvotes: 7
Related Questions
- AWS HTTPS requests not working on EC2 Load Balancer
- Forwarding http to https in AWS Load Balancers
- How to test load balancing in nginx?
- How to test AWS Network Load Balancer using Curl command?
- How to make HTTPS requests to AWS Load Balancer with Varnish and Nginx?
- Test SSL before changing DNS
- How Do I Configure Docker Containers Behind A Load Balancer?
- How to configure nginx to act as a load balancer for proxies?
- Test globally distributed web application
- Determine SSL connection behind a load balancer