While debugging probes in the parent task I came across this behaviour:
- thanos-fe hosts have TLS terminated by envoy with two virtual hosts: thanos-swift and thanos-query (with corresponding svc and discovery entries)
- we're probing both services by:
- connecting to thanos-swift.svc.SITE.wmnet / thanos-query.svc.SITE.wmnet
- sending the corresponding thanos-swift / thanos-query discovery names as SNI
- using the svc names plus port as Host headers (though using discovery entries doesn't change behaviour)
I noticed that including the port number seems to break vhost selection: (404 I suspect is because thanos-query is selected as a vhost and /healthcheck doesn't exist there)
prometheus1003:~$ curl --header 'Host: thanos-swift.discovery.wmnet:443' https://thanos-swift.discovery.wmnet:443/healthcheck -v 2>&1 | grep HTTP/ > GET /healthcheck HTTP/1.1 < HTTP/1.1 404 Not Found prometheus1003:~$ curl --header 'Host: thanos-swift.discovery.wmnet' https://thanos-swift.discovery.wmnet:443/healthcheck -v 2>&1 | grep HTTP/ > GET /healthcheck HTTP/1.1 < HTTP/1.1 200 OK
cc @JMeybohm @Joe in case you have come across this before ?