I have an Azure Traffic Manager set up to monitor some HTTPS services exposed on via public IP addresses.
When I set the health probe to be TCP / 443, the probe works fine and the endpoint shows Online.
When I set the HTTPS probe on port 443 to /images/favicon.ico, with appropriate host: and user-agent: headers which I have confirmed work with curl-k via command line, and even set allowed HTTP return codes to 100-599, the probe still shows Degraded.
I am wondering if this is because we use a highly secure (A+ rating on qualys SSL checker) SSL cipher suite and only permit TLS 1.2+, and there is an SSL handshake failure by the azure traffic manager monitors?
Is there any way to verify this?
The ciphers our website allows are:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS
And again, we only permit TLS 1.2.
Edit: Our server serves an SNI certificate. Supposedly these are 'not supported', not just 'not validated'. Is this what's breaking the HTTPS health probes?
-k
for curl. And self signed won't work under traffic manager. – evilSnobu