Https health monitor required authentication to work but back-end servers do not need authentication

I don't remember that applying particular cipher suit will automatic turn on basic authentication requirement. Right?

Correct. That has nothing to do with application authentication.

The difference is that I didn't have cipher suit in the curl command line

The HTTPS monitor lets you specify the cipher string, while cURL and wget just do it for you. You can indeed specify a cipher string in these utilities, but regardless the client (cURL) is definitely negotiating SSL with a set of supported ciphers.