Is there a way to decide what CURL should consider a success?

Question

My goal is to have a HEALTHCHECK command in my Dockerfile to check if the webserver is working alright by simply making a request to the website and check if it receives a "proper response".

The problem I'm having is that the application has an authentication middleware, which causes the application to return an error (401 Unauthorized), causing CURL to fail and return curl: (7) Failed to connect to host.docker.internal port 8000: Connection refused.

If I remove the authentication middleware it doesn't return anything, which is what I'm aiming for.

The command I'm using is the following (I'm currently just using it inside a container, trying to find a solution):

curl --fail http://host.docker.internal:8000

I know I can tell CURL the username and password but that's something I would rather not do it.

Having a way to tell CURL that Unauthorized (error 401) is fine or to consider a connection refused error (curl: (7)) as the only error would be fine but it would be even better if I could decide what should CURL consider and/or not consider a success. Is there any way to do something like this with one or more CURL options?

Answer 1

Health check is a good practice when microservices or rest services architecture are used.

Default health endpoints and check platforms needs 200 as http code to flag your app as healthy. Any other response is flagged ad unhealthy.

Custom codes with curl

I tried and I can say: with curl is not possible:

• https://superuser.com/questions/590099/can-i-make-curl-fail-with-an-exitcode-different-than-0-if-the-http-status-code-i

You need a custom logic.

Custom health

As you are using ubuntu based image, you could use a simple bash function to catch 401 codes and return exit 0 in order to mark as healthy your container.

with curl

The cornerstone here is the option to retrieve just the response code from curl invokation:

curl -o /dev/null -s -w "%{http_code}\n" http://localhost

So you can create a bash script to execute your curl invocation and return:

• exit 0 just for 200 & 401
• And exit 1 in any other case .

#healthcheck.sh
code=$(curl -o /dev/null -s -w "%{http_code}\n" http://localhost:12345)

echo "response code:$code"
if [ "$code" == "200" ] || [ "$code" == "401" ]
then
  echo "success"
  exit 0;
else
  echo "error"
  exit 1;
fi

Finally you can use this script in your healthcheck in any language(php in your case):

FROM node
COPY server.js /
HEALTHCHECK --interval=5s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:8080 || exit 1
CMD [ "node", "/server.js" ]

Health feature should be public

Common health verification is related to: server status, internet connection, ram, disk, database connectivity, and any other stat that indicates you if you app is running and is ok.

Health check platforms does not allow us to register complex security flows (oauth1, ouath2, openid, etc). Just allow us to register a simple http endpoint. Here an example from aws ELB check configuration

Health feature should not expose any other sensitive data, because of that, this endpoint could be public. Classic and public webpages, web systems or public apis are examples.

Workaround

In some strict cases, privacy is required.

1. In this case I protected the /health with a simple apikey value as query parameter. In the controller, I validate if it is equal to some value. Final health endpoint will be /health?apiKey=secret and this is easy to register in check platforms.
2. Using complex configurations you could allow /health just for internal private lan, not for public access. So in this case your /health is secure