[monitoring-plugins/monitoring-plugins] check_http and EPIPE with HAProxy + SSL (#1419)

Peter Pramberger notifications at github.com
Fri May 20 16:15:36 CEST 2016

Previous message: [PATCH] check_dig: use +retry instead of +tries
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Using check_http to monitor [HAProxy](http://www.haproxy.org/) via SSL on an
URL configured via monitor-uri (that is, [HAProxy](http://www.haproxy.org/)
is handling the HTTP request itself without forwarding it to the backend) is
currently not possible, as check_http dies with an `EPIPE` before returning
any output:

    write(3, "\25\3\1\0 \256\235\31\353\0\276\347\361\367e\221\323:3\336\302I\257\2232\270\307c\256\357\270\346"..., 37) = -1 EPIPE (Broken pipe)
    --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=16924, si_uid=57000} ---
    +++ killed by SIGPIPE +++

This is due to the fact that [HAProxy](http://www.haproxy.org/) immediately
closes the monitoring connection after the response, without waiting for any
SSL shutdown. Unfortunately (in this case) `SSL_shutdown()` tries to send a
SSL shutdown message on a connection which does not exist anymore,
triggering the EPIPE.

The only workaround for that issue so far is disabling `SIGPIPE` before
`SSL_shutdown()`, as I found no way to check the socket state without
writing to it:

    --- monitoring-plugins-2.1.2/plugins/sslutils.c.orig    2015-10-16 11:06:18.000000000 +0200
    +++ monitoring-plugins-2.1.2/plugins/sslutils.c 2016-05-20 15:55:39.915793381 +0200
    @@ -127,7 +127,10 @@ void np_net_ssl_cleanup() {
     #ifdef SSL_set_tlsext_host_name
                    SSL_set_tlsext_host_name(s, NULL);
     #endif
    +               /* XXX: Ignore SIGPIPE or SSL_shutdown() will EPIPE on dropped connections */
    +               (void) signal (SIGPIPE, SIG_IGN);
                    SSL_shutdown(s);
    +               (void) signal (SIGPIPE, SIG_DFL);
                    SSL_free(s);
                    if (c) {
                            SSL_CTX_free(c);

Please consider this fix for inclusion.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/monitoring-plugins/monitoring-plugins/issues/1419
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20160520/8d100f30/attachment.html>

Previous message: [PATCH] check_dig: use +retry instead of +tries
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Devel mailing list