Gandalf/sofarr
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects Releases 15 Wiki Activity

fix: healthcheck respects TLS_ENABLED at runtime
Some checks failed
Build and Push Docker Image / build (push) Successful in 30s
Details
CI / Tests & coverage (push) Has been cancelled
Details
CI / Security audit (push) Has been cancelled
Details

Browse Source 
When TLS_ENABLED=false (e.g. behind a reverse proxy) the healthcheck
was still hitting https://localhost which fails on plain HTTP, keeping
the container perpetually in 'starting' state on TrueNAS SCALE.

Use a shell conditional so the correct protocol is used at runtime:
  - TLS_ENABLED=false  -> wget http://localhost:${PORT}/health
  - TLS_ENABLED=true (default) -> wget --no-check-certificate https://...
This commit is contained in:
Gronod
2026-05-17 17:42:55 +01:00
parent e4be334ad4
commit fa72cfb5ec
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Dockerfile
View File

@@ -49,10 +49,10 @@ USER node
EXPOSE 3001
# HEALTHCHECK — Docker will restart the container if this fails 3 times
# --no-check-certificate handles self-signed / snakeoil certs.
# Remove that flag when using a CA-signed certificate.
# HEALTHCHECK — Docker will restart the container if this fails 3 times.
# Respects TLS_ENABLED at runtime: uses https (with --no-check-certificate
# to handle self-signed/snakeoil certs) when TLS is on, plain http when off.
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
CMD wget -qO- --no-check-certificate https://localhost:3001/health || exit 1
CMD /bin/sh -c '[ "${TLS_ENABLED:-true}" = "false" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health'
CMD ["node", "server/index.js"]

6
docker-compose.yaml
View File

@@ -47,9 +47,9 @@ services:
- ALL # drop all Linux capabilities
cap_add: [] # add back none — Node.js needs no special caps
healthcheck:
# Uses --no-check-certificate for self-signed / snakeoil certs.
# Remove that flag if using a CA-signed certificate.
test: ["CMD", "wget", "-qO-", "--no-check-certificate", "https://localhost:3001/health"]
# Respects TLS_ENABLED: uses http when set to false, https otherwise.
# --no-check-certificate handles self-signed / snakeoil certs.
test: ["CMD", "/bin/sh", "-c", "[ \"${TLS_ENABLED:-true}\" = \"false\" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health"]
interval: 30s
timeout: 5s
retries: 3