Add support for configuring TLS ServerName for health checks

Some TLS servers require SNI, but the Golang HTTP client doesn't
include it in the ClientHello when connecting to an IP address. This
change adds a new TLSServerName field to health check definitions to
optionally set it. This fixes #9473.

agent/agent.go

@@ -2517,7 +2517,7 @@ func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType,
 				chkType.Interval = checks.MinInterval
 			}
 
-			tlsClientConfig := a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify)
+			tlsClientConfig := a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify, chkType.TLSServerName)
 
 			http := &checks.CheckHTTP{
 				CheckID:         cid,
@@ -2589,7 +2589,7 @@ func (a *Agent) addCheck(check *structs.HealthCheck, chkType *structs.CheckType,
 
 			var tlsClientConfig *tls.Config
 			if chkType.GRPCUseTLS {
-				tlsClientConfig = a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify)
+				tlsClientConfig = a.tlsConfigurator.OutgoingTLSConfigForCheck(chkType.TLSSkipVerify, chkType.TLSServerName)
 			}
 
 			grpc := &checks.CheckGRPC{

agent/config/builder.go

@@ -1571,6 +1571,7 @@ func (b *builder) checkVal(v *CheckDefinition) *structs.CheckDefinition {
 		Shell:                          stringVal(v.Shell),
 		GRPC:                           stringVal(v.GRPC),
 		GRPCUseTLS:                     boolVal(v.GRPCUseTLS),
+		TLSServerName:                  stringVal(v.TLSServerName),
 		TLSSkipVerify:                  boolVal(v.TLSSkipVerify),
 		AliasNode:                      stringVal(v.AliasNode),
 		AliasService:                   stringVal(v.AliasService),

agent/config/config.go

@@ -405,6 +405,7 @@ type CheckDefinition struct {
 	Shell                          *string             `mapstructure:"shell"`
 	GRPC                           *string             `mapstructure:"grpc"`
 	GRPCUseTLS                     *bool               `mapstructure:"grpc_use_tls"`
+	TLSServerName                  *string             `mapstructure:"tls_server_name"`
 	TLSSkipVerify                  *bool               `mapstructure:"tls_skip_verify" alias:"tlsskipverify"`
 	AliasNode                      *string             `mapstructure:"alias_node"`
 	AliasService                   *string             `mapstructure:"alias_service"`

agent/config/runtime_test.go

@@ -5081,6 +5081,7 @@ func TestLoad_FullConfig(t *testing.T) {
 				OutputMaxSize:                  checks.DefaultBufSize,
 				DockerContainerID:              "ipgdFtjd",
 				Shell:                          "qAeOYy0M",
+				TLSServerName:                  "bdeb5f6a",
 				TLSSkipVerify:                  true,
 				Timeout:                        1813 * time.Second,
 				TTL:                            21743 * time.Second,
@@ -5106,6 +5107,7 @@ func TestLoad_FullConfig(t *testing.T) {
 				Interval:                       28767 * time.Second,
 				DockerContainerID:              "THW6u7rL",
 				Shell:                          "C1Zt3Zwh",
+				TLSServerName:                  "6adc3bfb",
 				TLSSkipVerify:                  true,
 				Timeout:                        18506 * time.Second,
 				TTL:                            31006 * time.Second,
@@ -5131,6 +5133,7 @@ func TestLoad_FullConfig(t *testing.T) {
 				Interval:                       18714 * time.Second,
 				DockerContainerID:              "qF66POS9",
 				Shell:                          "sOnDy228",
+				TLSServerName:                  "7BdnzBYk",
 				TLSSkipVerify:                  true,
 				Timeout:                        5954 * time.Second,
 				TTL:                            30044 * time.Second,
@@ -5336,6 +5339,7 @@ func TestLoad_FullConfig(t *testing.T) {
 						Interval:                       24392 * time.Second,
 						DockerContainerID:              "ZKXr68Yb",
 						Shell:                          "CEfzx0Fo",
+						TLSServerName:                  "4f191d4F",
 						TLSSkipVerify:                  true,
 						Timeout:                        38333 * time.Second,
 						TTL:                            57201 * time.Second,
@@ -5386,6 +5390,7 @@ func TestLoad_FullConfig(t *testing.T) {
 						Interval:                       32718 * time.Second,
 						DockerContainerID:              "cU15LMet",
 						Shell:                          "nEz9qz2l",
+						TLSServerName:                  "f43ouY7a",
 						TLSSkipVerify:                  true,
 						Timeout:                        34738 * time.Second,
 						TTL:                            22773 * time.Second,
@@ -5409,6 +5414,7 @@ func TestLoad_FullConfig(t *testing.T) {
 						Interval:                       5656 * time.Second,
 						DockerContainerID:              "5tDBWpfA",
 						Shell:                          "rlTpLM8s",
+						TLSServerName:                  "sOv5WTtp",
 						TLSSkipVerify:                  true,
 						Timeout:                        4868 * time.Second,
 						TTL:                            11222 * time.Second,
@@ -5525,6 +5531,7 @@ func TestLoad_FullConfig(t *testing.T) {
 						Interval:                       22224 * time.Second,
 						DockerContainerID:              "ipgdFtjd",
 						Shell:                          "omVZq7Sz",
+						TLSServerName:                  "axw5QPL5",
 						TLSSkipVerify:                  true,
 						Timeout:                        18913 * time.Second,
 						TTL:                            44743 * time.Second,
@@ -5548,6 +5555,7 @@ func TestLoad_FullConfig(t *testing.T) {
 						Interval:                       12356 * time.Second,
 						DockerContainerID:              "HBndBU6R",
 						Shell:                          "hVI33JjA",
+						TLSServerName:                  "7uwWOnUS",
 						TLSSkipVerify:                  true,
 						Timeout:                        38282 * time.Second,
 						TTL:                            1181 * time.Second,
@@ -5571,6 +5579,7 @@ func TestLoad_FullConfig(t *testing.T) {
 						Interval:                       23926 * time.Second,
 						DockerContainerID:              "dO5TtRHk",
 						Shell:                          "e6q2ttES",
+						TLSServerName:                  "ECSHk8WF",
 						TLSSkipVerify:                  true,
 						Timeout:                        38483 * time.Second,
 						TTL:                            10943 * time.Second,

agent/config/testdata/TestRuntimeConfig_Sanitize.golden

@@ -107,6 +107,7 @@
             "Status": "",
             "SuccessBeforePassing": 0,
             "TCP": "",
+            "TLSServerName": "",
             "TLSSkipVerify": false,
             "TTL": "0s",
             "Timeout": "0s",
@@ -307,6 +308,7 @@
                 "Status": "",
                 "SuccessBeforePassing": 0,
                 "TCP": "",
+                "TLSServerName": "",
                 "TLSSkipVerify": false,
                 "TTL": "0s",
                 "Timeout": "0s"

agent/config/testdata/full-config.hcl

@@ -113,6 +113,7 @@ check = {
     output_max_size = 4096
     docker_container_id = "qF66POS9"
     shell = "sOnDy228"
+    tls_server_name = "7BdnzBYk"
     tls_skip_verify = true
     timeout = "5954s"
     ttl = "30044s"
@@ -139,6 +140,7 @@ checks = [
         output_max_size = 4096
         docker_container_id = "ipgdFtjd"
         shell = "qAeOYy0M"
+        tls_server_name = "bdeb5f6a"
         tls_skip_verify = true
         timeout = "1813s"
         ttl = "21743s"
@@ -164,6 +166,7 @@ checks = [
         output_max_size = 4096
         docker_container_id = "THW6u7rL"
         shell = "C1Zt3Zwh"
+        tls_server_name = "6adc3bfb"
         tls_skip_verify = true
         timeout = "18506s"
         ttl = "31006s"
@@ -378,6 +381,7 @@ service = {
         interval = "23926s"
         docker_container_id = "dO5TtRHk"
         shell = "e6q2ttES"
+        tls_server_name = "ECSHk8WF"
         tls_skip_verify = true
         timeout = "38483s"
         ttl = "10943s"
@@ -402,6 +406,7 @@ service = {
             output_max_size = 4096
             docker_container_id = "ipgdFtjd"
             shell = "omVZq7Sz"
+            tls_server_name = "axw5QPL5"
             tls_skip_verify = true
             timeout = "18913s"
             ttl = "44743s"
@@ -425,6 +430,7 @@ service = {
             output_max_size = 4096
             docker_container_id = "HBndBU6R"
             shell = "hVI33JjA"
+            tls_server_name = "7uwWOnUS"
             tls_skip_verify = true
             timeout = "38282s"
             ttl = "1181s"
@@ -462,6 +468,7 @@ services = [
             output_max_size = 4096
             docker_container_id = "ZKXr68Yb"
             shell = "CEfzx0Fo"
+            tls_server_name = "4f191d4F"
             tls_skip_verify = true
             timeout = "38333s"
             ttl = "57201s"
@@ -502,6 +509,7 @@ services = [
                 output_max_size = 4096
                 docker_container_id = "cU15LMet"
                 shell = "nEz9qz2l"
+                tls_server_name = "f43ouY7a"
                 tls_skip_verify = true
                 timeout = "34738s"
                 ttl = "22773s"
@@ -525,6 +533,7 @@ services = [
                 output_max_size = 4096
                 docker_container_id = "5tDBWpfA"
                 shell = "rlTpLM8s"
+                tls_server_name = "sOv5WTtp"
                 tls_skip_verify = true
                 timeout = "4868s"
                 ttl = "11222s"

agent/config/testdata/full-config.json

@@ -114,6 +114,7 @@
     "interval": "18714s",
     "docker_container_id": "qF66POS9",
     "shell": "sOnDy228",
+    "tls_server_name": "7BdnzBYk",
     "tls_skip_verify": true,
     "timeout": "5954s",
     "ttl": "30044s",
@@ -140,6 +141,7 @@
       "output_max_size": 4096,
       "docker_container_id": "ipgdFtjd",
       "shell": "qAeOYy0M",
+      "tls_server_name": "bdeb5f6a",
       "tls_skip_verify": true,
       "timeout": "1813s",
       "ttl": "21743s",
@@ -165,6 +167,7 @@
       "output_max_size": 4096,
       "docker_container_id": "THW6u7rL",
       "shell": "C1Zt3Zwh",
+      "tls_server_name": "6adc3bfb",
       "tls_skip_verify": true,
       "timeout": "18506s",
       "ttl": "31006s",
@@ -375,6 +378,7 @@
       "output_max_size": 4096,
       "docker_container_id": "dO5TtRHk",
       "shell": "e6q2ttES",
+      "tls_server_name": "ECSHk8WF",
       "tls_skip_verify": true,
       "timeout": "38483s",
       "ttl": "10943s",
@@ -399,6 +403,7 @@
         "output_max_size": 4096,
         "docker_container_id": "ipgdFtjd",
         "shell": "omVZq7Sz",
+        "tls_server_name": "axw5QPL5",
         "tls_skip_verify": true,
         "timeout": "18913s",
         "ttl": "44743s",
@@ -422,6 +427,7 @@
         "output_max_size": 4096,
         "docker_container_id": "HBndBU6R",
         "shell": "hVI33JjA",
+        "tls_server_name": "7uwWOnUS",
         "tls_skip_verify": true,
         "timeout": "38282s",
         "ttl": "1181s",
@@ -459,6 +465,7 @@
         "output_max_size": 4096,
         "docker_container_id": "ZKXr68Yb",
         "shell": "CEfzx0Fo",
+        "tls_server_name": "4f191d4F",
         "tls_skip_verify": true,
         "timeout": "38333s",
         "ttl": "57201s",
@@ -499,6 +506,7 @@
           "output_max_size": 4096,
           "docker_container_id": "cU15LMet",
           "shell": "nEz9qz2l",
+          "tls_server_name": "f43ouY7a",
           "tls_skip_verify": true,
           "timeout": "34738s",
           "ttl": "22773s",
@@ -522,6 +530,7 @@
           "output_max_size": 4096,
           "docker_container_id": "5tDBWpfA",
           "shell": "rlTpLM8s",
+          "tls_server_name": "sOv5WTtp",
           "tls_skip_verify": true,
           "timeout": "4868s",
           "ttl": "11222s",

agent/http_decode_test.go

@@ -275,6 +275,7 @@ type translateKeyTestCase struct {
 // 	"script_args":                       "ScriptArgs",
 // 	"deregister_critical_service_after": "DeregisterCriticalServiceAfter",
 // 	"docker_container_id":               "DockerContainerID",
+// 	"tls_server_name":                   "TLSServerName",
 // 	"tls_skip_verify":                   "TLSSkipVerify",
 // 	"service_id":                        "ServiceID",
 
@@ -283,7 +284,8 @@ var translateCheckTypeTCs = [][]translateKeyTestCase{
 	translateDeregisterTCs,
 	translateDockerTCs,
 	translateGRPCUseTLSTCs,
-	translateTLSTCs,
+	translateTLSServerNameTCs,
+	translateTLSSkipVerifyTCs,
 	translateServiceIDTCs,
 }
 
@@ -504,8 +506,65 @@ var translateDockerTCs = []translateKeyTestCase{
 	},
 }
 
+// TLSServerName: string
+func tlsServerNameEqFn(out interface{}, want interface{}) error {
+	var got interface{}
+	switch v := out.(type) {
+	case structs.CheckDefinition:
+		got = v.TLSServerName
+	case *structs.CheckDefinition:
+		got = v.TLSServerName
+	case structs.CheckType:
+		got = v.TLSServerName
+	case *structs.CheckType:
+		got = v.TLSServerName
+	case structs.HealthCheckDefinition:
+		got = v.TLSServerName
+	case *structs.HealthCheckDefinition:
+		got = v.TLSServerName
+	default:
+		panic(fmt.Sprintf("unexpected type %T", out))
+	}
+	if got != want {
+		return fmt.Errorf("expected TLSServerName to be %v, got %v", want, got)
+	}
+	return nil
+}
+
+var tlsServerNameFields = []string{`"TLSServerName": %s`, `"tls_server_name": %s`}
+var translateTLSServerNameTCs = []translateKeyTestCase{
+	{
+		desc:       "tlsServerName: both set",
+		in:         []interface{}{`"server1"`, `"server2"`},
+		want:       "server1",
+		jsonFmtStr: "{" + strings.Join(tlsServerNameFields, ",") + "}",
+		equalityFn: tlsServerNameEqFn,
+	},
+	{
+		desc:       "tlsServerName: first set",
+		in:         []interface{}{`"server1"`},
+		want:       "server1",
+		jsonFmtStr: "{" + tlsServerNameFields[0] + "}",
+		equalityFn: tlsServerNameEqFn,
+	},
+	{
+		desc:       "tlsServerName: second set",
+		in:         []interface{}{`"server2"`},
+		want:       "server2",
+		jsonFmtStr: "{" + tlsServerNameFields[1] + "}",
+		equalityFn: tlsServerNameEqFn,
+	},
+	{
+		desc:       "tlsServerName: neither set",
+		in:         []interface{}{},
+		want:       "", // zero value
+		jsonFmtStr: "{}",
+		equalityFn: tlsServerNameEqFn,
+	},
+}
+
 // TLSSkipVerify: bool
-func tlsEqFn(out interface{}, want interface{}) error {
+func tlsSkipVerifyEqFn(out interface{}, want interface{}) error {
 	var got interface{}
 	switch v := out.(type) {
 	case structs.CheckDefinition:
@@ -529,35 +588,35 @@ func tlsEqFn(out interface{}, want interface{}) error {
 	return nil
 }
 
-var tlsFields = []string{`"TLSSkipVerify": %s`, `"tls_skip_verify": %s`}
+var tlsSkipVerifyFields = []string{`"TLSSkipVerify": %s`, `"tls_skip_verify": %s`}
-var translateTLSTCs = []translateKeyTestCase{
+var translateTLSSkipVerifyTCs = []translateKeyTestCase{
 	{
 		desc:       "tlsSkipVerify: both set",
 		in:         []interface{}{`true`, `false`},
 		want:       true,
-		jsonFmtStr: "{" + strings.Join(tlsFields, ",") + "}",
+		jsonFmtStr: "{" + strings.Join(tlsSkipVerifyFields, ",") + "}",
-		equalityFn: tlsEqFn,
+		equalityFn: tlsSkipVerifyEqFn,
 	},
 	{
 		desc:       "tlsSkipVerify: first set",
 		in:         []interface{}{`true`},
 		want:       true,
-		jsonFmtStr: "{" + tlsFields[0] + "}",
+		jsonFmtStr: "{" + tlsSkipVerifyFields[0] + "}",
-		equalityFn: tlsEqFn,
+		equalityFn: tlsSkipVerifyEqFn,
 	},
 	{
 		desc:       "tlsSkipVerify: second set",
 		in:         []interface{}{`true`},
 		want:       true,
-		jsonFmtStr: "{" + tlsFields[1] + "}",
+		jsonFmtStr: "{" + tlsSkipVerifyFields[1] + "}",
-		equalityFn: tlsEqFn,
+		equalityFn: tlsSkipVerifyEqFn,
 	},
 	{
 		desc:       "tlsSkipVerify: neither set",
 		in:         []interface{}{},
 		want:       false, // zero value
 		jsonFmtStr: "{}",
-		equalityFn: tlsEqFn,
+		equalityFn: tlsSkipVerifyEqFn,
 	},
 }
 
@@ -876,6 +935,7 @@ func TestDecodeACLRoleWrite(t *testing.T) {
 // Shell	string
 // GRPC	string
 // GRPCUseTLS	bool
+// TLSServerName	string
 // TLSSkipVerify	bool
 // AliasNode	string
 // AliasService	string
@@ -988,6 +1048,7 @@ func TestDecodeAgentRegisterCheck(t *testing.T) {
 //     Shell	string
 //     GRPC	string
 //     GRPCUseTLS	bool
+//     TLSServerName	string
 //     TLSSkipVerify	bool
 //     Timeout	time.Duration
 //     TTL	time.Duration
@@ -1924,6 +1985,7 @@ func TestDecodeAgentRegisterService(t *testing.T) {
 //                 Shell	string
 //                 GRPC	string
 //                 GRPCUseTLS	bool
+//                 TLSServerName	string
 //                 TLSSkipVerify	bool
 //                 Timeout	time.Duration
 //                 TTL	time.Duration
@@ -1953,6 +2015,7 @@ func TestDecodeAgentRegisterService(t *testing.T) {
 //     ServiceTags	[]string
 //     Definition	structs.HealthCheckDefinition
 //         HTTP	string
+//         TLSServerName	string
 //         TLSSkipVerify	bool
 //         Header	map[string][]string
 //         Method	string
@@ -2425,6 +2488,7 @@ func TestDecodeSessionCreate(t *testing.T) {
 //                             TCP	string
 //                             Status	string
 //                             Notes	string
+//                             TLSServerName	string
 //                             TLSSkipVerify	bool
 //                             GRPC	string
 //                             GRPCUseTLS	bool
@@ -2451,6 +2515,7 @@ func TestDecodeSessionCreate(t *testing.T) {
 //                     Header	map[string][]string
 //                     Method	string
 //                     Body	string
+//                     TLSServerName	string
 //                     TLSSkipVerify	bool
 //                     TCP	string
 //                     IntervalDuration	time.Duration

agent/structs/check_definition.go

@@ -33,6 +33,7 @@ type CheckDefinition struct {
 	Shell                          string
 	GRPC                           string
 	GRPCUseTLS                     bool
+	TLSServerName                  string
 	TLSSkipVerify                  bool
 	AliasNode                      string
 	AliasService                   string
@@ -62,6 +63,7 @@ func (t *CheckDefinition) UnmarshalJSON(data []byte) (err error) {
 		ScriptArgsSnake                     []string    `json:"script_args"`
 		DeregisterCriticalServiceAfterSnake interface{} `json:"deregister_critical_service_after"`
 		DockerContainerIDSnake              string      `json:"docker_container_id"`
+		TLSServerNameSnake                  string      `json:"tls_server_name"`
 		TLSSkipVerifySnake                  bool        `json:"tls_skip_verify"`
 		GRPCUseTLSSnake                     bool        `json:"grpc_use_tls"`
 		ServiceIDSnake                      string      `json:"service_id"`
@@ -87,6 +89,9 @@ func (t *CheckDefinition) UnmarshalJSON(data []byte) (err error) {
 	if t.DockerContainerID == "" {
 		t.DockerContainerID = aux.DockerContainerIDSnake
 	}
+	if t.TLSServerName == "" {
+		t.TLSServerName = aux.TLSServerNameSnake
+	}
 	if aux.TLSSkipVerifySnake {
 		t.TLSSkipVerify = aux.TLSSkipVerifySnake
 	}
@@ -182,6 +187,7 @@ func (c *CheckDefinition) CheckType() *CheckType {
 		Interval:                       c.Interval,
 		DockerContainerID:              c.DockerContainerID,
 		Shell:                          c.Shell,
+		TLSServerName:                  c.TLSServerName,
 		TLSSkipVerify:                  c.TLSSkipVerify,
 		Timeout:                        c.Timeout,
 		TTL:                            c.TTL,

agent/structs/check_type.go

@@ -43,6 +43,7 @@ type CheckType struct {
 	Shell                  string
 	GRPC                   string
 	GRPCUseTLS             bool
+	TLSServerName          string
 	TLSSkipVerify          bool
 	Timeout                time.Duration
 	TTL                    time.Duration
@@ -75,6 +76,7 @@ func (t *CheckType) UnmarshalJSON(data []byte) (err error) {
 		ScriptArgsSnake                     []string    `json:"script_args"`
 		DeregisterCriticalServiceAfterSnake interface{} `json:"deregister_critical_service_after"`
 		DockerContainerIDSnake              string      `json:"docker_container_id"`
+		TLSServerNameSnake                  string      `json:"tls_server_name"`
 		TLSSkipVerifySnake                  bool        `json:"tls_skip_verify"`
 		GRPCUseTLSSnake                     bool        `json:"grpc_use_tls"`
 
@@ -102,6 +104,9 @@ func (t *CheckType) UnmarshalJSON(data []byte) (err error) {
 	if t.DockerContainerID == "" {
 		t.DockerContainerID = aux.DockerContainerIDSnake
 	}
+	if t.TLSServerName == "" {
+		t.TLSServerName = aux.TLSServerNameSnake
+	}
 	if aux.TLSSkipVerifySnake {
 		t.TLSSkipVerify = aux.TLSSkipVerifySnake
 	}

agent/structs/structs.go

@@ -1429,6 +1429,7 @@ func (hc *HealthCheck) CompoundCheckID() CheckID {
 
 type HealthCheckDefinition struct {
 	HTTP                           string              `json:",omitempty"`
+	TLSServerName                  string              `json:",omitempty"`
 	TLSSkipVerify                  bool                `json:",omitempty"`
 	Header                         map[string][]string `json:",omitempty"`
 	Method                         string              `json:",omitempty"`
@@ -1583,6 +1584,7 @@ func (c *HealthCheck) CheckType() *CheckType {
 		Interval:                       c.Definition.Interval,
 		DockerContainerID:              c.Definition.DockerContainerID,
 		Shell:                          c.Definition.Shell,
+		TLSServerName:                  c.Definition.TLSServerName,
 		TLSSkipVerify:                  c.Definition.TLSSkipVerify,
 		Timeout:                        c.Definition.Timeout,
 		TTL:                            c.Definition.TTL,

agent/txn_endpoint.go

@@ -264,6 +264,7 @@ func (s *HTTPHandlers) convertOps(resp http.ResponseWriter, req *http.Request) (
 						ServiceTags: check.ServiceTags,
 						Definition: structs.HealthCheckDefinition{
 							HTTP:                           check.Definition.HTTP,
+							TLSServerName:                  check.Definition.TLSServerName,
 							TLSSkipVerify:                  check.Definition.TLSSkipVerify,
 							Header:                         check.Definition.Header,
 							Method:                         check.Definition.Method,

api/agent.go

@@ -313,6 +313,7 @@ type AgentServiceCheck struct {
 	TCP                    string              `json:",omitempty"`
 	Status                 string              `json:",omitempty"`
 	Notes                  string              `json:",omitempty"`
+	TLSServerName          string              `json:",omitempty"`
 	TLSSkipVerify          bool                `json:",omitempty"`
 	GRPC                   string              `json:",omitempty"`
 	GRPCUseTLS             bool                `json:",omitempty"`

api/health.go

@@ -58,6 +58,7 @@ type HealthCheckDefinition struct {
 	Header                                 map[string][]string
 	Method                                 string
 	Body                                   string
+	TLSServerName                          string
 	TLSSkipVerify                          bool
 	TCP                                    string
 	IntervalDuration                       time.Duration `json:"-"`

proto/pbservice/healthcheck.gen.go

@@ -23,6 +23,7 @@ func CheckTypeToStructs(s CheckType) structs.CheckType {
 	t.Shell = s.Shell
 	t.GRPC = s.GRPC
 	t.GRPCUseTLS = s.GRPCUseTLS
+	t.TLSServerName = s.TLSServerName
 	t.TLSSkipVerify = s.TLSSkipVerify
 	t.Timeout = s.Timeout
 	t.TTL = s.TTL
@@ -53,6 +54,7 @@ func NewCheckTypeFromStructs(t structs.CheckType) CheckType {
 	s.Shell = t.Shell
 	s.GRPC = t.GRPC
 	s.GRPCUseTLS = t.GRPCUseTLS
+	s.TLSServerName = t.TLSServerName
 	s.TLSSkipVerify = t.TLSSkipVerify
 	s.Timeout = t.Timeout
 	s.TTL = t.TTL
@@ -101,6 +103,7 @@ func NewHealthCheckFromStructs(t structs.HealthCheck) HealthCheck {
 func HealthCheckDefinitionToStructs(s HealthCheckDefinition) structs.HealthCheckDefinition {
 	var t structs.HealthCheckDefinition
 	t.HTTP = s.HTTP
+	t.TLSServerName = s.TLSServerName
 	t.TLSSkipVerify = s.TLSSkipVerify
 	t.Header = MapHeadersToStructs(s.Header)
 	t.Method = s.Method
@@ -123,6 +126,7 @@ func HealthCheckDefinitionToStructs(s HealthCheckDefinition) structs.HealthCheck
 func NewHealthCheckDefinitionFromStructs(t structs.HealthCheckDefinition) HealthCheckDefinition {
 	var s HealthCheckDefinition
 	s.HTTP = t.HTTP
+	s.TLSServerName = t.TLSServerName
 	s.TLSSkipVerify = t.TLSSkipVerify
 	s.Header = NewMapHeadersFromStructs(t.Header)
 	s.Method = t.Method

proto/pbservice/healthcheck.pb.go

@@ -133,6 +133,7 @@ var xxx_messageInfo_HeaderValue proto.InternalMessageInfo
 // name=Structs
 type HealthCheckDefinition struct {
 	HTTP          string `protobuf:"bytes,1,opt,name=HTTP,proto3" json:"HTTP,omitempty"`
+	TLSServerName string `protobuf:"bytes,19,opt,name=TLSServerName,proto3" json:"TLSServerName,omitempty"`
 	TLSSkipVerify bool   `protobuf:"varint,2,opt,name=TLSSkipVerify,proto3" json:"TLSSkipVerify,omitempty"`
 	// mog: func-to=MapHeadersToStructs func-from=NewMapHeadersFromStructs
 	Header   map[string]HeaderValue `protobuf:"bytes,3,rep,name=Header,proto3" json:"Header" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
@@ -218,6 +219,7 @@ type CheckType struct {
 	Shell             string                 `protobuf:"bytes,13,opt,name=Shell,proto3" json:"Shell,omitempty"`
 	GRPC              string                 `protobuf:"bytes,14,opt,name=GRPC,proto3" json:"GRPC,omitempty"`
 	GRPCUseTLS        bool                   `protobuf:"varint,15,opt,name=GRPCUseTLS,proto3" json:"GRPCUseTLS,omitempty"`
+	TLSServerName     string                 `protobuf:"bytes,27,opt,name=TLSServerName,proto3" json:"TLSServerName,omitempty"`
 	TLSSkipVerify     bool                   `protobuf:"varint,16,opt,name=TLSSkipVerify,proto3" json:"TLSSkipVerify,omitempty"`
 	Timeout           time.Duration          `protobuf:"bytes,17,opt,name=Timeout,proto3,stdduration" json:"Timeout"`
 	TTL               time.Duration          `protobuf:"bytes,18,opt,name=TTL,proto3,stdduration" json:"TTL"`
@@ -281,70 +283,71 @@ func init() {
 func init() { proto.RegisterFile("proto/pbservice/healthcheck.proto", fileDescriptor_8a6f7448747c9fbe) }
 
 var fileDescriptor_8a6f7448747c9fbe = []byte{
-	// 999 bytes of a gzipped FileDescriptorProto
+	// 1016 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0x4d, 0x6f, 0xe3, 0x44,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
-	0x18, 0x8e, 0x9b, 0x8f, 0xc6, 0x93, 0x6d, 0xb7, 0x1d, 0xba, 0x65, 0xb6, 0x20, 0x37, 0x04, 0x0e,
+	0x14, 0x8e, 0x9b, 0x36, 0x8d, 0x27, 0x6d, 0xb7, 0x9d, 0xed, 0x96, 0xd9, 0x2e, 0x72, 0x43, 0xe0,
-	0x41, 0x14, 0x47, 0x2a, 0x02, 0x01, 0x12, 0xa0, 0x26, 0xd9, 0x8f, 0xa0, 0x76, 0x09, 0x8e, 0xd9,
+	0x10, 0x44, 0x71, 0xa4, 0x22, 0x10, 0x20, 0x01, 0x6a, 0x92, 0xfd, 0x11, 0xd4, 0x2e, 0xc1, 0x31,
-	0x03, 0x37, 0xd7, 0x99, 0x24, 0x56, 0x1c, 0x4f, 0x34, 0x1e, 0x57, 0x0d, 0x57, 0xfe, 0x00, 0xc7,
+	0x7b, 0xe0, 0xe6, 0x3a, 0x93, 0xc4, 0x8a, 0xe3, 0x89, 0xc6, 0xe3, 0xaa, 0xe1, 0xca, 0x3f, 0x80,
-	0xfd, 0x49, 0x3d, 0x56, 0x9c, 0x38, 0x15, 0x68, 0xcf, 0xfc, 0x01, 0x4e, 0x68, 0xde, 0xb1, 0x53,
+	0xc4, 0x65, 0xff, 0xa4, 0x1e, 0x7b, 0xe4, 0x54, 0xa0, 0xfd, 0x27, 0x10, 0x27, 0x34, 0x6f, 0xec,
-	0x67, 0xe3, 0x25, 0x65, 0xb5, 0x9c, 0xf2, 0x7e, 0xce, 0x78, 0xde, 0xf7, 0x79, 0x9e, 0x16, 0xbd,
+	0xd4, 0xd9, 0x78, 0x49, 0x58, 0x2d, 0xa7, 0xcc, 0x7c, 0xef, 0xbd, 0x19, 0xcf, 0x7b, 0xdf, 0xf7,
-	0x37, 0xe5, 0x4c, 0xb0, 0xc6, 0xf4, 0x34, 0xa4, 0xfc, 0xcc, 0x73, 0x69, 0x63, 0x44, 0x1d, 0x5f,
+	0xb5, 0xe8, 0xbd, 0x31, 0x67, 0x82, 0xd5, 0xc6, 0x67, 0x21, 0xe5, 0xe7, 0x9e, 0x4b, 0x6b, 0x03,
-	0x8c, 0xdc, 0x11, 0x75, 0xc7, 0x26, 0xe4, 0xb0, 0x3e, 0x4f, 0xee, 0x19, 0x43, 0xc6, 0x86, 0x3e,
+	0xea, 0xf8, 0x62, 0xe0, 0x0e, 0xa8, 0x3b, 0x34, 0x21, 0x86, 0xf5, 0x69, 0x70, 0xdf, 0xe8, 0x33,
-	0x6d, 0x40, 0xe2, 0x34, 0x1a, 0x34, 0xfa, 0x11, 0x77, 0x84, 0xc7, 0x02, 0x55, 0xba, 0xf7, 0x4e,
+	0xd6, 0xf7, 0x69, 0x0d, 0x02, 0x67, 0x51, 0xaf, 0xd6, 0x8d, 0xb8, 0x23, 0x3c, 0x16, 0xa8, 0xd4,
-	0x72, 0x9a, 0xcb, 0x26, 0x13, 0x16, 0x34, 0xd4, 0x4f, 0x9c, 0xdc, 0x19, 0xb2, 0x21, 0x53, 0x05,
+	0xfd, 0x47, 0xc9, 0x69, 0x2e, 0x1b, 0x8d, 0x58, 0x50, 0x53, 0x3f, 0x71, 0x70, 0xb7, 0xcf, 0xfa,
-	0xd2, 0x52, 0xd1, 0xda, 0xcf, 0x05, 0x54, 0x79, 0x0a, 0x77, 0xb6, 0xe4, 0x9d, 0x18, 0xa3, 0xc2,
+	0x4c, 0x25, 0xc8, 0x95, 0x42, 0x2b, 0x3f, 0xaf, 0xa2, 0xd2, 0x33, 0xb8, 0xb3, 0x21, 0xef, 0xc4,
-	0x33, 0xd6, 0xa7, 0x44, 0xab, 0x6a, 0x75, 0xdd, 0x02, 0x1b, 0x3f, 0x41, 0xeb, 0x90, 0xec, 0xb4,
+	0x18, 0xad, 0x3e, 0x67, 0x5d, 0x4a, 0xb4, 0xb2, 0x56, 0xd5, 0x2d, 0x58, 0xe3, 0xa7, 0x68, 0x1d,
-	0xc9, 0x9a, 0x0c, 0x37, 0x3f, 0xfe, 0xfb, 0x6a, 0xff, 0xc3, 0xa1, 0x27, 0x46, 0xd1, 0xa9, 0xe9,
+	0x82, 0xad, 0x26, 0x59, 0x91, 0x70, 0xfd, 0xe3, 0xbf, 0xaf, 0x0f, 0x3e, 0xec, 0x7b, 0x62, 0x10,
-	0xb2, 0x49, 0x63, 0xe4, 0x84, 0x23, 0xcf, 0x65, 0x7c, 0xda, 0x70, 0x59, 0x10, 0x46, 0x7e, 0x43,
+	0x9d, 0x99, 0x2e, 0x1b, 0xd5, 0x06, 0x4e, 0x38, 0xf0, 0x5c, 0xc6, 0xc7, 0x35, 0x97, 0x05, 0x61,
-	0xcc, 0xa6, 0x34, 0x34, 0xe3, 0x26, 0x2b, 0xe9, 0x86, 0xc3, 0x9d, 0x09, 0x25, 0xf9, 0xf8, 0x70,
+	0xe4, 0xd7, 0xc4, 0x64, 0x4c, 0x43, 0x33, 0x2e, 0xb2, 0x92, 0x6a, 0x38, 0xdc, 0x19, 0x51, 0x92,
-	0x67, 0x42, 0xf1, 0x2e, 0x2a, 0xf5, 0x84, 0x23, 0xa2, 0x90, 0x14, 0x20, 0x1a, 0x7b, 0x78, 0x07,
+	0x8f, 0x0f, 0x77, 0x46, 0x14, 0xef, 0xa1, 0x42, 0x47, 0x38, 0x22, 0x0a, 0xc9, 0x2a, 0xa0, 0xf1,
-	0x15, 0x9f, 0x31, 0x41, 0x43, 0x52, 0x84, 0xb0, 0x72, 0x64, 0xf5, 0x77, 0x91, 0x98, 0x46, 0x82,
+	0x0e, 0xef, 0xa2, 0xb5, 0xe7, 0x4c, 0xd0, 0x90, 0xac, 0x01, 0xac, 0x36, 0x32, 0xfb, 0xbb, 0x48,
-	0x94, 0x54, 0xb5, 0xf2, 0xf0, 0xbb, 0x48, 0xef, 0xa9, 0x21, 0x75, 0xda, 0x64, 0x1d, 0x52, 0xb7,
+	0x8c, 0x23, 0x41, 0x0a, 0x2a, 0x5b, 0xed, 0xf0, 0xbb, 0x48, 0xef, 0xa8, 0x26, 0xb5, 0x9a, 0x64,
-	0x01, 0x5c, 0x45, 0x95, 0xd8, 0x81, 0xeb, 0xcb, 0x90, 0x4f, 0x87, 0x52, 0x15, 0xb6, 0x33, 0x0c,
+	0x1d, 0x42, 0x77, 0x00, 0x2e, 0xa3, 0x52, 0xbc, 0x81, 0xeb, 0x8b, 0x10, 0x4f, 0x43, 0xa9, 0x0c,
-	0x89, 0x5e, 0xcd, 0xa7, 0x2a, 0x64, 0x48, 0x7e, 0xbb, 0x3d, 0x9b, 0x52, 0x72, 0x4f, 0x7d, 0xbb,
+	0xdb, 0xe9, 0x87, 0x44, 0x2f, 0xe7, 0x53, 0x19, 0x12, 0x92, 0xdf, 0x6e, 0x4f, 0xc6, 0x94, 0x6c,
-	0xb4, 0xf1, 0x63, 0x84, 0xda, 0x74, 0xe0, 0x05, 0x9e, 0xdc, 0x01, 0x41, 0x55, 0xad, 0x5e, 0x39,
+	0xa8, 0x6f, 0x97, 0x6b, 0xfc, 0x04, 0xa1, 0x26, 0xed, 0x79, 0x81, 0x27, 0x67, 0x40, 0x50, 0x59,
-	0xac, 0x9a, 0xf3, 0x7d, 0x99, 0xa9, 0xc1, 0xde, 0xd6, 0x35, 0x0b, 0x17, 0x57, 0xfb, 0x39, 0x2b,
+	0xab, 0x96, 0x8e, 0xca, 0xe6, 0x74, 0x5e, 0x66, 0xaa, 0xb1, 0x77, 0x79, 0xf5, 0xd5, 0xcb, 0xeb,
-	0xd5, 0x89, 0xbf, 0x40, 0xba, 0xe5, 0x0c, 0x44, 0x27, 0xe8, 0xd3, 0x73, 0x52, 0x81, 0x63, 0xb6,
+	0x83, 0x9c, 0x95, 0xaa, 0xc4, 0x5f, 0x20, 0xdd, 0x72, 0x7a, 0xa2, 0x15, 0x74, 0xe9, 0x05, 0x29,
-	0xcd, 0x78, 0x79, 0xf3, 0x44, 0xb3, 0x2c, 0xfb, 0x2e, 0xaf, 0xf6, 0x35, 0xeb, 0xb6, 0x1a, 0xb7,
+	0xc1, 0x31, 0x3b, 0x66, 0x3c, 0xbc, 0x69, 0xa0, 0x5e, 0x94, 0x75, 0x57, 0xd7, 0x07, 0x9a, 0x75,
-	0xd1, 0xe6, 0xa3, 0x40, 0x50, 0x3e, 0xe5, 0x5e, 0x48, 0x4f, 0xa8, 0x70, 0xc8, 0x06, 0xf4, 0xef,
+	0x97, 0x8d, 0x9b, 0x68, 0xeb, 0x71, 0x20, 0x28, 0x1f, 0x73, 0x2f, 0xa4, 0xa7, 0x54, 0x38, 0x64,
-	0x26, 0xfd, 0x8b, 0xd9, 0xf8, 0xf2, 0x97, 0x7a, 0x6a, 0xef, 0x03, 0x08, 0xfa, 0x94, 0x3f, 0x77,
+	0x13, 0xea, 0xf7, 0x92, 0xfa, 0xd9, 0x68, 0x7c, 0xf9, 0x2b, 0x35, 0x95, 0xf7, 0x81, 0x04, 0x5d,
-	0xfc, 0x88, 0xca, 0xd9, 0x83, 0x41, 0x34, 0x98, 0x83, 0x72, 0x6a, 0xbf, 0x96, 0xd0, 0x83, 0xcc,
+	0xca, 0x5f, 0x38, 0x7e, 0x44, 0x65, 0xef, 0x61, 0x41, 0x34, 0xe8, 0x83, 0xda, 0x54, 0xfe, 0x2a,
-	0x17, 0xc9, 0xd9, 0x3c, 0xb5, 0xed, 0x6e, 0x02, 0x1a, 0x69, 0xe3, 0x0f, 0xd0, 0x86, 0x7d, 0xdc,
+	0xa0, 0x07, 0x99, 0x2f, 0x92, 0xbd, 0x79, 0x66, 0xdb, 0xed, 0x84, 0x34, 0x72, 0x8d, 0x3f, 0x40,
-	0xeb, 0x8d, 0xbd, 0xe9, 0x73, 0xca, 0xbd, 0xc1, 0x0c, 0xa0, 0x53, 0xb6, 0x16, 0x83, 0xf8, 0x5b,
+	0x9b, 0xf6, 0x49, 0x47, 0x76, 0x90, 0x72, 0xe8, 0xfa, 0x7d, 0x08, 0xce, 0x82, 0x49, 0xd6, 0xd0,
-	0x54, 0x52, 0x17, 0x93, 0x7c, 0x35, 0x5f, 0xaf, 0x1c, 0x1e, 0xac, 0x9a, 0x9e, 0xa9, 0xca, 0x1f,
+	0x1b, 0xbf, 0xa0, 0xdc, 0xeb, 0x4d, 0x80, 0x60, 0x45, 0x6b, 0x16, 0xc4, 0xdf, 0xa2, 0x82, 0xfa,
-	0x05, 0x82, 0xcf, 0xe2, 0xc7, 0xc4, 0x27, 0x48, 0x6c, 0x9c, 0x50, 0x31, 0x62, 0xfd, 0x04, 0x49,
+	0x3c, 0x92, 0x2f, 0xe7, 0xab, 0xa5, 0xa3, 0xc3, 0x45, 0x3d, 0x36, 0x55, 0xfa, 0xe3, 0x40, 0xf0,
-	0xca, 0x93, 0x5f, 0xd7, 0x64, 0xfd, 0x19, 0xc1, 0xea, 0xeb, 0xa4, 0x8d, 0xb7, 0x50, 0xde, 0x6e,
+	0x49, 0xfc, 0xe4, 0xf8, 0x04, 0xc9, 0xa0, 0x53, 0x2a, 0x06, 0xac, 0x9b, 0xf0, 0x4d, 0xed, 0xe4,
-	0x75, 0x63, 0x6c, 0x49, 0x13, 0x7f, 0x83, 0xca, 0x1d, 0x39, 0x94, 0x33, 0xc7, 0x07, 0x6c, 0x55,
+	0x1b, 0xea, 0xac, 0x3b, 0x21, 0x58, 0xbd, 0x41, 0xae, 0xf1, 0x36, 0xca, 0xdb, 0x8d, 0x76, 0xcc,
-	0x0e, 0x1f, 0x9a, 0x8a, 0x6e, 0x66, 0x42, 0x37, 0xb3, 0x1d, 0xd3, 0x4d, 0xad, 0xe2, 0xc5, 0xef,
+	0x40, 0xb9, 0xc4, 0xdf, 0xa0, 0x62, 0x4b, 0xb6, 0xee, 0xdc, 0xf1, 0x81, 0x81, 0xa5, 0xa3, 0x87,
-	0xfb, 0x9a, 0x35, 0x6f, 0x92, 0x0f, 0x56, 0x60, 0x3c, 0x71, 0xce, 0x7b, 0xde, 0x4f, 0x94, 0xe8,
+	0xa6, 0x12, 0xa5, 0x99, 0x88, 0xd2, 0x6c, 0xc6, 0xa2, 0x54, 0x03, 0x7b, 0xf9, 0xfb, 0x81, 0x66,
-	0x55, 0xad, 0xbe, 0x61, 0x2d, 0x06, 0xf1, 0x57, 0x68, 0xdd, 0xf6, 0x26, 0x94, 0x45, 0x02, 0x60,
+	0x4d, 0x8b, 0xe4, 0x83, 0x15, 0x65, 0x4f, 0x9d, 0x8b, 0x8e, 0xf7, 0x13, 0x25, 0x7a, 0x59, 0xab,
-	0x7a, 0xc7, 0x5b, 0x92, 0x1e, 0x3c, 0x46, 0x46, 0x9b, 0x72, 0x3a, 0xf4, 0x42, 0x41, 0x79, 0x8b,
+	0x6e, 0x5a, 0xb3, 0x20, 0xfe, 0x0a, 0xad, 0xdb, 0xde, 0x88, 0xb2, 0x48, 0x00, 0x99, 0x97, 0xbc,
-	0x7b, 0xc2, 0x73, 0x1d, 0x3f, 0x86, 0xe9, 0xd1, 0x40, 0x50, 0x0e, 0xe0, 0xbe, 0xe3, 0xa9, 0x2b,
+	0x25, 0xa9, 0xc1, 0x43, 0x64, 0x34, 0x29, 0xa7, 0x7d, 0x2f, 0x14, 0x94, 0x37, 0xb8, 0x27, 0x3c,
-	0x8e, 0xc2, 0x06, 0x42, 0x3d, 0x97, 0x7b, 0x53, 0x71, 0xc4, 0x87, 0x21, 0x41, 0x80, 0x85, 0x54,
+	0xd7, 0xf1, 0x63, 0x32, 0x1f, 0xf7, 0x04, 0xe5, 0x20, 0x81, 0x25, 0x4f, 0x5d, 0x70, 0x14, 0x36,
-	0x04, 0x1f, 0xa0, 0xed, 0x36, 0x73, 0xc7, 0x94, 0xb7, 0x58, 0x20, 0x1c, 0x2f, 0xa0, 0xbc, 0xd3,
+	0x10, 0xea, 0xb8, 0xdc, 0x1b, 0x8b, 0x63, 0xde, 0x0f, 0x09, 0x02, 0xc6, 0xa4, 0x10, 0x7c, 0x88,
-	0x06, 0xf8, 0xea, 0xd6, 0x72, 0x42, 0x82, 0xaa, 0x37, 0xa2, 0xbe, 0x1f, 0x33, 0x48, 0x39, 0x72,
+	0x76, 0x9a, 0xcc, 0x1d, 0x52, 0xde, 0x60, 0x81, 0x70, 0xbc, 0x80, 0xf2, 0x56, 0x13, 0x48, 0xae,
-	0x39, 0x4f, 0xac, 0x6e, 0x0b, 0x50, 0xab, 0x5b, 0x60, 0xcb, 0x7b, 0xe5, 0xef, 0x0f, 0x21, 0xb5,
+	0x5b, 0xf3, 0x01, 0x49, 0xbd, 0xce, 0x80, 0xfa, 0x7e, 0xac, 0x33, 0xb5, 0x91, 0xc3, 0x79, 0x6a,
-	0x8f, 0x7b, 0x64, 0x13, 0x70, 0x93, 0x8a, 0x48, 0xb2, 0x1f, 0xf9, 0x9e, 0x13, 0x82, 0x50, 0xdd,
+	0xb5, 0x1b, 0xc0, 0x6d, 0xdd, 0x82, 0xb5, 0xbc, 0x57, 0xfe, 0xfe, 0x10, 0x52, 0xfb, 0xa4, 0x43,
-	0x57, 0x64, 0x9f, 0x07, 0x70, 0x0d, 0xdd, 0x03, 0x27, 0x7e, 0x0a, 0xd9, 0x82, 0x82, 0x85, 0x18,
+	0xb6, 0x80, 0x37, 0x29, 0x44, 0x5a, 0xc2, 0xb1, 0xef, 0x39, 0x21, 0xd8, 0xd9, 0x3d, 0x65, 0x09,
-	0xfe, 0x14, 0xe5, 0x6d, 0xfb, 0x98, 0x6c, 0xdf, 0x7d, 0x56, 0xb2, 0x7e, 0xef, 0xfb, 0x84, 0x26,
+	0x53, 0x00, 0x57, 0xd0, 0x06, 0x6c, 0xe2, 0xa7, 0x90, 0x6d, 0x48, 0x98, 0xc1, 0xf0, 0xa7, 0x28,
-	0x00, 0x3f, 0x09, 0xa2, 0x31, 0x9d, 0xc5, 0xa8, 0x97, 0x26, 0x3e, 0x40, 0xc5, 0x33, 0x20, 0xce,
+	0x6f, 0xdb, 0x27, 0x64, 0x67, 0xf9, 0x5e, 0xc9, 0xfc, 0xfd, 0xef, 0x13, 0x31, 0x01, 0xfd, 0x24,
-	0x5a, 0x4c, 0xc2, 0x05, 0x34, 0x27, 0xfc, 0xb2, 0x54, 0xd1, 0x97, 0x6b, 0x9f, 0x6b, 0xb5, 0xbf,
+	0x89, 0x86, 0x74, 0x12, 0x6b, 0x43, 0x2e, 0xf1, 0x21, 0x5a, 0x3b, 0x07, 0x79, 0xad, 0xc4, 0x52,
-	0xca, 0x48, 0x07, 0x88, 0x83, 0xa0, 0xa4, 0x94, 0x56, 0x7b, 0x23, 0x4a, 0xbb, 0x96, 0xa9, 0xb4,
+	0x9d, 0x61, 0x73, 0xa2, 0x42, 0x4b, 0x25, 0x7d, 0xb9, 0xf2, 0xb9, 0x56, 0xf9, 0x55, 0x47, 0x3a,
-	0xf9, 0x6c, 0xa5, 0x2d, 0xa4, 0x95, 0x76, 0x71, 0xf9, 0xc5, 0xa5, 0xe5, 0x27, 0x9c, 0x2f, 0xa5,
+	0x50, 0x1c, 0x6c, 0x27, 0xe5, 0xc7, 0xda, 0x5b, 0xf1, 0xe3, 0x95, 0x4c, 0x3f, 0xce, 0x67, 0xfb,
-	0x38, 0xff, 0xf5, 0x9c, 0xcd, 0x3b, 0xc0, 0xe6, 0xb4, 0x16, 0xce, 0x1f, 0x79, 0x27, 0x06, 0xaf,
+	0xf1, 0x6a, 0xda, 0x8f, 0x67, 0x87, 0xbf, 0x36, 0x37, 0xfc, 0xc4, 0x19, 0x0a, 0x29, 0x67, 0xf8,
-	0x67, 0x32, 0x78, 0x6f, 0x99, 0xc1, 0xe5, 0x6c, 0x06, 0xeb, 0xaf, 0xc3, 0xe0, 0x05, 0x5c, 0xa1,
+	0x7a, 0xaa, 0xe6, 0x5d, 0x50, 0x73, 0xda, 0x31, 0xa7, 0x8f, 0x5c, 0x4a, 0xc1, 0xeb, 0x99, 0x0a,
-	0x55, 0xb8, 0xaa, 0x64, 0xe0, 0x2a, 0x93, 0x11, 0xf7, 0x56, 0x32, 0x62, 0x23, 0x8b, 0x11, 0x9b,
+	0xde, 0x9f, 0x57, 0x70, 0x31, 0x5b, 0xc1, 0xfa, 0x9b, 0x28, 0x78, 0x86, 0x57, 0x68, 0x11, 0xaf,
-	0xaf, 0x64, 0xc4, 0xfd, 0x25, 0x46, 0x2c, 0x89, 0xed, 0x56, 0x96, 0xd8, 0xa6, 0xb4, 0x67, 0xfb,
+	0x4a, 0x19, 0xbc, 0xca, 0x54, 0xc4, 0xc6, 0x42, 0x45, 0x6c, 0x66, 0x29, 0x62, 0xeb, 0xb5, 0x8a,
-	0x35, 0xb4, 0x27, 0x26, 0x0d, 0xfe, 0x6f, 0xa4, 0xc1, 0x87, 0x68, 0xa7, 0x17, 0xb9, 0x2e, 0x0d,
+	0xb8, 0x37, 0xa7, 0x88, 0x39, 0x4b, 0x7e, 0xb4, 0x94, 0x25, 0x6f, 0x67, 0x59, 0x72, 0xca, 0xa1,
-	0xc3, 0x26, 0x1d, 0x30, 0x4e, 0xbb, 0x4e, 0x18, 0x7a, 0xc1, 0x90, 0x3c, 0xa8, 0x6a, 0xf5, 0xa2,
+	0x76, 0xde, 0xc0, 0xa1, 0x62, 0x69, 0xe1, 0xff, 0x26, 0x2d, 0x7c, 0x84, 0x76, 0x3b, 0x91, 0xeb,
-	0x95, 0x99, 0xc3, 0x9f, 0xa1, 0xdd, 0xc7, 0x8e, 0xe7, 0x47, 0x9c, 0xc6, 0x89, 0x44, 0x9f, 0xc8,
+	0xd2, 0x30, 0xac, 0xd3, 0x1e, 0xe3, 0xb4, 0xed, 0x84, 0xa1, 0x17, 0xf4, 0xc9, 0x83, 0xb2, 0x56,
-	0x2e, 0x74, 0xbd, 0x22, 0x2b, 0x37, 0xd8, 0xe5, 0xec, 0x7c, 0x06, 0xc8, 0x7c, 0x5b, 0x6d, 0x70,
+	0x5d, 0xb3, 0x32, 0x63, 0xf8, 0x33, 0xb4, 0xf7, 0xc4, 0xf1, 0xfc, 0x88, 0xd3, 0x38, 0x90, 0xb8,
-	0x1e, 0x98, 0x67, 0x61, 0xbc, 0x24, 0x95, 0x85, 0x19, 0xaf, 0x96, 0xd6, 0xb7, 0xde, 0x9c, 0xb4,
+	0x18, 0xd9, 0x83, 0xaa, 0xd7, 0x44, 0xe5, 0x9c, 0xdb, 0x9c, 0x5d, 0x4c, 0x80, 0xbf, 0xef, 0xa8,
-	0x2e, 0xfd, 0xb1, 0x78, 0x08, 0xef, 0x5a, 0x0c, 0xfe, 0x0f, 0x7a, 0xd3, 0x3c, 0xb9, 0xf8, 0xd3,
+	0x39, 0x4f, 0x81, 0x69, 0x14, 0x86, 0x40, 0x52, 0x51, 0x98, 0xc4, 0x62, 0x03, 0xbe, 0xff, 0xf6,
-	0xc8, 0x5d, 0x5c, 0x1b, 0xda, 0xe5, 0xb5, 0xa1, 0xfd, 0x71, 0x6d, 0x68, 0xbf, 0xdc, 0x18, 0xb9,
+	0x0c, 0x78, 0xee, 0x4f, 0xca, 0x43, 0x78, 0xd7, 0x2c, 0xf8, 0x3f, 0xb8, 0x52, 0xfd, 0xf4, 0xf2,
-	0x17, 0x37, 0x46, 0xee, 0xf2, 0xc6, 0xc8, 0xfd, 0x76, 0x63, 0xe4, 0x7e, 0xfc, 0xe8, 0xdf, 0xe4,
+	0x4f, 0x23, 0x77, 0x79, 0x63, 0x68, 0x57, 0x37, 0x86, 0xf6, 0xc7, 0x8d, 0xa1, 0xfd, 0x72, 0x6b,
-	0xe6, 0xa5, 0x7f, 0x57, 0x4f, 0x4b, 0x10, 0xf8, 0xe4, 0x9f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x3e,
+	0xe4, 0x5e, 0xde, 0x1a, 0xb9, 0xab, 0x5b, 0x23, 0xf7, 0xdb, 0xad, 0x91, 0xfb, 0xf1, 0xa3, 0x7f,
-	0x9a, 0xda, 0xd9, 0xc8, 0x0a, 0x00, 0x00,
+	0x33, 0xa5, 0x57, 0xfe, 0xf5, 0x3d, 0x2b, 0x00, 0xf0, 0xc9, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff,
+	0xf4, 0xca, 0x84, 0xe7, 0x14, 0x0b, 0x00, 0x00,
 }
 
 func (m *HealthCheck) Marshal() (dAtA []byte, err error) {
@@ -524,6 +527,15 @@ func (m *HealthCheckDefinition) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.TLSServerName) > 0 {
+		i -= len(m.TLSServerName)
+		copy(dAtA[i:], m.TLSServerName)
+		i = encodeVarintHealthcheck(dAtA, i, uint64(len(m.TLSServerName)))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0x9a
+	}
 	if len(m.Body) > 0 {
 		i -= len(m.Body)
 		copy(dAtA[i:], m.Body)
@@ -706,6 +718,15 @@ func (m *CheckType) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if len(m.TLSServerName) > 0 {
+		i -= len(m.TLSServerName)
+		copy(dAtA[i:], m.TLSServerName)
+		i = encodeVarintHealthcheck(dAtA, i, uint64(len(m.TLSServerName)))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0xda
+	}
 	if len(m.Body) > 0 {
 		i -= len(m.Body)
 		copy(dAtA[i:], m.Body)
@@ -1093,6 +1114,10 @@ func (m *HealthCheckDefinition) Size() (n int) {
 	if l > 0 {
 		n += 2 + l + sovHealthcheck(uint64(l))
 	}
+	l = len(m.TLSServerName)
+	if l > 0 {
+		n += 2 + l + sovHealthcheck(uint64(l))
+	}
 	return n
 }
 
@@ -1200,6 +1225,10 @@ func (m *CheckType) Size() (n int) {
 	if l > 0 {
 		n += 2 + l + sovHealthcheck(uint64(l))
 	}
+	l = len(m.TLSServerName)
+	if l > 0 {
+		n += 2 + l + sovHealthcheck(uint64(l))
+	}
 	return n
 }
 
@@ -2435,6 +2464,38 @@ func (m *HealthCheckDefinition) Unmarshal(dAtA []byte) error {
 			}
 			m.Body = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 19:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TLSServerName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowHealthcheck
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthHealthcheck
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthHealthcheck
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TLSServerName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipHealthcheck(dAtA[iNdEx:])
@@ -3358,6 +3419,38 @@ func (m *CheckType) Unmarshal(dAtA []byte) error {
 			}
 			m.Body = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 27:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TLSServerName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowHealthcheck
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthHealthcheck
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthHealthcheck
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TLSServerName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipHealthcheck(dAtA[iNdEx:])

proto/pbservice/healthcheck.proto

@@ -56,6 +56,7 @@ message HeaderValue {
 // name=Structs
 message HealthCheckDefinition {
     string HTTP = 1;
+    string TLSServerName = 19;
     bool TLSSkipVerify = 2;
 
     // mog: func-to=MapHeadersToStructs func-from=NewMapHeadersFromStructs
@@ -117,6 +118,7 @@ message CheckType {
     string Shell = 13;
     string GRPC = 14;
     bool GRPCUseTLS = 15;
+    string TLSServerName = 27;
     bool TLSSkipVerify = 16;
     google.protobuf.Duration Timeout = 17
     [(gogoproto.stdduration) = true, (gogoproto.nullable) = false];

tlsutil/config.go

@@ -711,21 +711,27 @@ func (c *Configurator) IncomingHTTPSConfig() *tls.Config {
 	return config
 }
 
-// IncomingTLSConfig generates a *tls.Config for outgoing TLS connections for
+// OutgoingTLSConfigForCheck generates a *tls.Config for outgoing TLS connections
-// checks. This function is separated because there is an extra flag to
+// for checks. This function is separated because there is an extra flag to
 // consider for checks. EnableAgentTLSForChecks and InsecureSkipVerify has to
 // be checked for checks.
-func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool) *tls.Config {
+func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config {
 	c.log("OutgoingTLSConfigForCheck")
+
+	if serverName == "" {
+		serverName = c.serverNameOrNodeName()
+	}
+
 	if !c.enableAgentTLSForChecks() {
 		return &tls.Config{
 			InsecureSkipVerify: skipVerify,
+			ServerName:         serverName,
 		}
 	}
 
 	config := c.commonTLSConfig(false)
 	config.InsecureSkipVerify = skipVerify
-	config.ServerName = c.serverNameOrNodeName()
+	config.ServerName = serverName
 
 	return config
 }

tlsutil/config_test.go

@@ -909,16 +909,21 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
 		TLSMinVersion:           "tls12",
 		EnableAgentTLSForChecks: false,
 	}, autoTLS: &autoTLS{}}
-	tlsConf := c.OutgoingTLSConfigForCheck(true)
+	tlsConf := c.OutgoingTLSConfigForCheck(true, "")
 	require.Equal(t, true, tlsConf.InsecureSkipVerify)
 	require.Equal(t, uint16(0), tlsConf.MinVersion)
 
 	c.base.EnableAgentTLSForChecks = true
 	c.base.ServerName = "servername"
-	tlsConf = c.OutgoingTLSConfigForCheck(true)
+	tlsConf = c.OutgoingTLSConfigForCheck(true, "")
 	require.Equal(t, true, tlsConf.InsecureSkipVerify)
 	require.Equal(t, TLSLookup[c.base.TLSMinVersion], tlsConf.MinVersion)
 	require.Equal(t, c.base.ServerName, tlsConf.ServerName)
+
+	tlsConf = c.OutgoingTLSConfigForCheck(true, "servername2")
+	require.Equal(t, true, tlsConf.InsecureSkipVerify)
+	require.Equal(t, TLSLookup[c.base.TLSMinVersion], tlsConf.MinVersion)
+	require.Equal(t, "servername2", tlsConf.ServerName)
 }
 
 func TestConfigurator_OutgoingRPCConfig(t *testing.T) {

website/content/api-docs/agent/check.mdx

@@ -188,6 +188,11 @@ The table below shows this endpoint's support for
   The value can be further limited for all checks of a given agent using the
   `check_output_max_size` flag in the agent.
 
+- `TLSServerName` `(string: "")` - Specifies an optional string used to set the
+  SNI host when connecting via TLS.
+  For an `HTTP` check, this value is set automatically if the URL uses a hostname
+  (not an IP address).
+
 - `TLSSkipVerify` `(bool: false)` - Specifies if the certificate for an HTTPS
   check should not be verified.
 

website/content/docs/discovery/checks.mdx

@@ -63,7 +63,9 @@ There are several different kinds of checks:
   check is limited to roughly 4KB. Responses larger than this will be truncated.
   HTTP checks also support TLS. By default, a valid TLS certificate is expected.
   Certificate verification can be turned off by setting the `tls_skip_verify`
-  field to `true` in the check definition.
+  field to `true` in the check definition. When using TLS, the SNI will be set
+  automatically from the URL if it uses a hostname (as opposed to an IP address);
+  the value can be overriden by setting `tls_server_name`.
 
 - `TCP + Interval` - These checks make a TCP connection attempt to the specified
   IP/hostname and port, waiting `interval` amount of time between attempts
@@ -153,6 +155,7 @@ A HTTP check:
     "id": "api",
     "name": "HTTP API on port 5000",
     "http": "https://localhost:5000/health",
+    "tls_server_name": "",
     "tls_skip_verify": false,
     "method": "POST",
     "header": {"Content-Type": ["application/json"]},