SpringBoot endpoint /health still requires HTTPS even management.server.ssl.enabled=false if management.server.port same as server.port

Hello Actuator Team,

Big thanks to this wonderful project. Springboot Actuator is being used in more and more designs, and it is providing a great /health feature.

However, in production, more and more apps are required to use SSL and expose all endpoints as HTTPS endpoints. Also, there are cases where some clients are relying on /health endpoint in order to do client side DR, or simply Kubernetes probes are also relying on /health for liveness and readiness.

Having the ability to expose an innocent /health over HTTP while everything else is still HTTPS is hopefully a valid use case. Can actuator enable such, without having the app fallback on complex Spring Security rules or expose another management.server.port on another port?

This is not only a question, but an issue for this project. When management.server.ssl.enabled is set to false, it can be expected actuator endpoints are HTTP based. However, it is not the case if SSL is enabled.

A combination of management.server.ssl.enabled=false and management.server.port to another port can workaround this problem, but the /health (and other management endpoints) are forced to be on another port.

Could you please help on having an HTTP based /health when management.server.ssl.enabled=false and on the same port as where the app is running?

Thank you

Comment From: wilkinsona

Could you please help on having an HTTP based /health when management.server.ssl.enabled=false and on the same port as where the app is running?

This isn't possible as the embedded containers do not support both using both HTTP and HTTPS on the same port. If you want your app to use HTTPS and your actuator endpoints to use HTTP, you'll have to configure them to use separate ports.

Comment From: KostasD21

What if I want to have the server and management server on the same HTTPS port ?

Because I am still getting :

Management-specific SSL cannot be configured as the management server is not listening on a separate port

So it mandates a separate port for the management server I suppose.

Comment From: wilkinsona

If the server and management server are sharing the same port then they must also share the same SSL configuration, specified using the server.ssl.* configuration properties.