fix(active-checks): use HTTP/1.1 for health check probes

Previously, active health check probes sent HTTP/1.0 requests, which
caused upstream servers that only support HTTP/1.1 to respond with
426 Upgrade Required, incorrectly marking healthy targets as unhealthy.

Switch the default probe request from HTTP/1.0 to HTTP/1.1 with
Connection: close header. HTTP/1.1 is backward-compatible with all
servers that accept HTTP/1.0, so this change requires no configuration
updates from users.

Refactored run_single_check() into focused helpers:
- build_http_headers(): builds and caches serialized header string
- establish_connection(): TCP connect + optional TLS handshake
- probe_http(): sends HTTP/1.1 GET and reports result

FTI-7389

Signed-off-by: Walker Zhao <walker.zhao@konghq.com>

Author: findns94

lib/resty/healthcheck.lua

@@ -985,60 +985,18 @@ end
 --============================================================================
 
 
--- Runs a single healthcheck probe
-function checker:run_single_check(ip, port, hostname, hostheader)
-
-  local sock, err = ngx.socket.tcp()
-  if not sock then
-    self:log(ERR, "failed to create stream socket: ", err)
-    return
-  end
-
-  sock:settimeout(self.checks.active.timeout * 1000)
-
-  local ok
-  ok, err = sock:connect(ip, port)
-  if not ok then
-    if err == "timeout" then
-      sock:close()  -- timeout errors do not close the socket.
-      return self:report_timeout(ip, port, hostname, "active")
-    end
-    return self:report_tcp_failure(ip, port, hostname, "connect", "active")
-  end
-
-  if self.checks.active.type == "tcp" then
-    sock:close()
-    return self:report_success(ip, port, hostname, "active")
-  end
-
-  if self.checks.active.type == "https" then
-    local https_sni, session, err
-    https_sni = self.checks.active.https_sni or hostheader or hostname
-    if self.ssl_cert and self.ssl_key then
-      ok, err = sock:setclientcert(self.ssl_cert, self.ssl_key)
-
-      if not ok then
-        self:log(ERR, "failed to set client certificate: ", err)
-      end
-    end
-
-    session, err = sock:sslhandshake(nil, https_sni,
-                                     self.checks.active.https_verify_certificate)
-
-    if not session then
-      sock:close()
-      self:log(ERR, "failed SSL handshake with '", hostname or "", " (", ip, ":", port, ")', using server name (sni) '", https_sni, "': ", err)
-      return self:report_tcp_failure(ip, port, hostname, "connect", "active")
-    end
-
+-- Builds and caches the serialized user-configured headers string for HTTP/1.x probes.
+-- Uses ~= nil so that a cached empty string ("") is also a cache hit.
+local function build_http_headers(self)
+  if self.checks.active._headers_str ~= nil then
+    return self.checks.active._headers_str
   end
 
   local req_headers = self.checks.active.headers
   local headers
-  if self.checks.active._headers_str then
-    headers = self.checks.active._headers_str
-  elseif req_headers == nil then
-      headers = ""
+
+  if req_headers == nil then
+    headers = ""
   else
     local headers_length = nkeys(req_headers)
     if headers_length > 0 then
@@ -1065,15 +1023,75 @@ function checker:run_single_check(ip, port, hostname, hostheader)
         headers = headers .. "\r\n"
       end
     end
-    self.checks.active._headers_str = headers or ""
   end
 
+  self.checks.active._headers_str = headers or ""
+  return self.checks.active._headers_str
+end
+
+
+-- Establishes a TCP connection and optionally performs a TLS handshake for
+-- https type.  Returns the connected socket, or nil when a failure has
+-- already been reported via report_timeout / report_tcp_failure.
+local function establish_connection(self, ip, port, hostname, hostheader, typ)
+  local sock, err = ngx.socket.tcp()
+  if not sock then
+    self:log(ERR, "failed to create stream socket: ", err)
+    return nil
+  end
+
+  sock:settimeout(self.checks.active.timeout * 1000)
+
+  local ok
+  ok, err = sock:connect(ip, port)
+  if not ok then
+    if err == "timeout" then
+      sock:close()  -- timeout errors do not close the socket.
+      self:report_timeout(ip, port, hostname, "active")
+    else
+      self:report_tcp_failure(ip, port, hostname, "connect", "active")
+    end
+    return nil
+  end
+
+  if typ == "https" then
+    local https_sni = self.checks.active.https_sni or hostheader or hostname
+    if self.ssl_cert and self.ssl_key then
+      ok, err = sock:setclientcert(self.ssl_cert, self.ssl_key)
+      if not ok then
+        self:log(ERR, "failed to set client certificate: ", err)
+      end
+    end
+
+    local session
+    session, err = sock:sslhandshake(nil, https_sni,
+                                     self.checks.active.https_verify_certificate)
+    if not session then
+      sock:close()
+      self:log(ERR, "failed SSL handshake with '", hostname or "", " (", ip, ":", port, ")', using server name (sni) '", https_sni, "': ", err)
+      self:report_tcp_failure(ip, port, hostname, "connect", "active")
+      return nil
+    end
+  end
+
+  return sock
+end
+
+
+-- Sends an HTTP/1.1 GET request over an already-connected socket and reports
+-- the result via report_http_status / report_tcp_failure / report_timeout.
+-- Connection: close is injected so the server closes the connection after
+-- responding (health probes are one-shot).
+local function probe_http(self, sock, ip, port, hostname, hostheader)
+  local headers = build_http_headers(self)
   local path = self.checks.active.http_path
-  local request = ("GET %s HTTP/1.0\r\n%sHost: %s\r\n\r\n"):format(path, headers, hostheader or hostname or ip)
+  local host = hostheader or hostname or ip
+
+  local request = ("GET %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\n%s\r\n"):format(
+                    path, host, headers)
   self:log(DEBUG, "request head: ", request)
 
-  local bytes
-  bytes, err = sock:send(request)
+  local bytes, err = sock:send(request)
   if not bytes then
     self:log(ERR, "failed to send http request to '", hostname, " (", ip, ":", port, ")': ", err)
     if err == "timeout" then
@@ -1108,10 +1126,27 @@ function checker:run_single_check(ip, port, hostname, hostheader)
   sock:close()
 
   self:log(DEBUG, "Reporting '", hostname, " (", ip, ":", port, ")' (got HTTP ", status, ")")
-
   return self:report_http_status(ip, port, hostname, status, "active")
 end
 
+
+-- Runs a single healthcheck probe
+function checker:run_single_check(ip, port, hostname, hostheader)
+  local typ = self.checks.active.type
+
+  local sock = establish_connection(self, ip, port, hostname, hostheader, typ)
+  if not sock then
+    return  -- failure already reported inside establish_connection
+  end
+
+  if typ == "tcp" then
+    sock:close()
+    return self:report_success(ip, port, hostname, "active")
+  end
+
+  return probe_http(self, sock, ip, port, hostname, hostheader)
+end
+
 -- executes a work package (a list of checks) sequentially
 function checker:run_work_package(work_package)
   for _, work_item in ipairs(work_package) do

t/with_resty-events/18-req-headers.t

@@ -79,9 +79,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl/7.29.0
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl/7.29.0
 
 
 
@@ -128,9 +129,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl
 
 
 === TEST 3: headers: { ["User-Agent"] = "curl" }
@@ -176,9 +178,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl
 
 
 
@@ -225,9 +228,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl
 
 
 
@@ -274,7 +278,8 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
+GET /status HTTP/1.1
+Host: 127.0.0.1
+Connection: close
 User-Agent: curl
 User-Agent: nginx
-Host: 127.0.0.1

t/with_worker-events/18-req-headers.t

@@ -59,9 +59,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl/7.29.0
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl/7.29.0
 
 
 
@@ -109,9 +110,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl
 
 
 === TEST 3: headers: { ["User-Agent"] = "curl" }
@@ -158,9 +160,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl
 
 
 
@@ -208,9 +211,10 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
-User-Agent: curl
+GET /status HTTP/1.1
 Host: 127.0.0.1
+Connection: close
+User-Agent: curl
 
 
 
@@ -258,7 +262,8 @@ true
 --- error_log
 checking healthy targets: nothing to do
 checking healthy targets: #1
-GET /status HTTP/1.0
+GET /status HTTP/1.1
+Host: 127.0.0.1
+Connection: close
 User-Agent: curl
 User-Agent: nginx
-Host: 127.0.0.1