Add SSL Support - completion of PR#5

README.markdown

@@ -54,8 +54,13 @@ http {
         local ok, err = hc.spawn_checker{
             shm = "healthcheck",  -- defined by "lua_shared_dict"
             upstream = "foo.com", -- defined by "upstream"
+
             type = "http",
-
+            -- type = "https",
+            -- ssl_verify = true, -- verify SSL certs
+            -- ssl_server_name = "custom_server_name" -- if given, will be passed to tcpsock:sslhandshake as server_name instead of peer.name
+            -- ssl_reuse_session = true, -- this makes sure SSL session will be reused
+
             http_req = "GET /status HTTP/1.0\r\nHost: foo.com\r\n\r\n",
                     -- raw HTTP request for checking
 

lib/resty/upstream/healthcheck.lua

@@ -20,7 +20,7 @@ local wait = ngx.thread.wait
 local pcall = pcall
 
 local _M = {
-    _VERSION = '0.03'
+    _VERSION = '0.05'
 }
 
 if not ngx.config
@@ -230,16 +230,29 @@ local function check_peer(ctx, id, peer, is_backup)
         ok, err = sock:connect(name)
     end
     if not ok then
-        if not peer.down then
-            errlog("failed to connect to ", name, ": ", err)
+        return peer_error(ctx, is_backup, id, peer,
+                          "failed to connect to ", name, ": ", err)
+    end
+
+    if ctx.type == "https" then
+        local session, err = sock:sslhandshake(ctx.session,
+                                               ctx.ssl_server_name or name,
+                                               ctx.ssl_verify)
+        if not session then
+            peer_error(ctx, is_backup, id, peer,
+                       "failed to do SSL handshake: ", name, ": ", err)
+            return sock:close()
+        end
+        if ctx.ssl_reuse_session then
+            ctx.session = session
         end
-        return peer_fail(ctx, is_backup, id, peer)
     end
 
     local bytes, err = sock:send(req)
     if not bytes then
-        return peer_error(ctx, is_backup, id, peer,
-                          "failed to send request to ", name, ": ", err)
+        peer_error(ctx, is_backup, id, peer,
+                   "failed to send request to ", name, ": ", err)
+        return sock:close()
     end
 
     local status_line, err = sock:receive()
@@ -260,16 +273,15 @@ local function check_peer(ctx, id, peer, is_backup)
             peer_error(ctx, is_backup, id, peer,
                        "bad status line from ", name, ": ",
                        status_line)
-            sock:close()
-            return
+            return sock:close()
         end
 
         local status = tonumber(sub(status_line, from, to))
         if not statuses[status] then
-            peer_error(ctx, is_backup, id, peer, "bad status code from ",
-                       name, ": ", status)
-            sock:close()
-            return
+            peer_error(ctx, is_backup, id, peer,
+                       "bad status code from ", name, ": ",
+                       status)
+            return sock:close()
         end
     end
 
@@ -530,10 +542,14 @@ function _M.spawn_checker(opts)
         return nil, "\"type\" option required"
     end
 
-    if typ ~= "http" then
-        return nil, "only \"http\" type is supported right now"
+    if typ ~= "http" and typ ~= "https" then
+        return nil, "no support for this protocol type"
     end
 
+    local ssl_verify = opts.ssl_verify and true
+
+    local ssl_reuse_session = opts.ssl_reuse_session and true
+
     local http_req = opts.http_req
     if not http_req then
         return nil, "\"http_req\" option required"
@@ -611,6 +627,10 @@ function _M.spawn_checker(opts)
         upstream = u,
         primary_peers = preprocess_peers(ppeers),
         backup_peers = preprocess_peers(bpeers),
+        type = typ,
+        ssl_verify = ssl_verify,
+        ssl_reuse_session = ssl_reuse_session,
+        ssl_server_name = opts.ssl_server_name,
         http_req = http_req,
         timeout = timeout,
         interval = interval,
@@ -620,6 +640,7 @@ function _M.spawn_checker(opts)
         statuses = statuses,
         version = 0,
         concurrency = concur,
+        session = nil,
     }
 
     local ok, err = new_timer(0, check, ctx)
@@ -701,4 +722,67 @@ function _M.status_page()
     return concat(bits)
 end
 
+local function gen_peers_status_table(dict, peers, name, is_backup)
+    local npeers = #peers
+
+    for i = 1, npeers do
+        local peer = peers[i]
+
+        local oks, err = dict:get(gen_peer_key("ok:", name, is_backup, i - 1))
+        if oks then
+            peer.checks_ok = oks
+            if oks > 0 then
+                peer.unhealthy = false
+                peer.checks_fail = 0
+            end
+        end
+
+        if peer.unhealthy == nil then
+            local key = gen_peer_key("nok:", name, is_backup, i - 1)
+            local fails, err = dict:get(key)
+            if fails then
+                peer.checks_fail = fails
+                if fails > 0 then
+                    peer.unhealthy = true
+                    peer.checks_ok = 0
+                end
+            end
+        end
+    end
+end
+
+function _M.status_table(shm)
+    local result = {}
+    local dict = shared[shm]
+
+    local us, err = get_upstreams()
+    if not us then
+        return nil, "failed to get upstream names: " .. err
+    end
+
+    local n = #us
+    for i = 1, n do
+        local u = us[i]
+
+        local ppeers, err = get_primary_peers(u)
+        if not ppeers then
+            return nil, "failed to get primary peers: " .. err
+        end
+        gen_peers_status_table(dict, ppeers, u, false)
+
+        local bpeers, err = get_backup_peers(u)
+        if not bpeers then
+            return nil, "failed to get backup peers: " .. err
+        end
+        gen_peers_status_table(dict, bpeers, u, true)
+
+        result[u] = {
+            primary_peers = ppeers,
+            backup_peers = bpeers,
+        }
+    end
+
+    return result
+end
+
 return _M