The check_curl Plugin
check_curl v2.4.0.7.g78ce (monitoring-plugins 2.4git)
Copyright (c) 1999 Ethan Galstad <nagios@nagios.org>
Copyright (c) 2006-2019 Monitoring Plugins Development Team
<devel@monitoring-plugins.org>
This plugin tests the HTTP service on the specified host. It can test
normal (http) and secure (https) servers, follow redirects, search for
strings and regular expressions, check connection times, and report on
certificate expiration times.
It makes use of libcurl to do so. It tries to be as compatible to check_http
as possible.
Usage:
check_curl -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]
[-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate file>] [-D]
[-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]
[-b proxy_auth] [-f <ok|warning|critical|follow|sticky|stickyport|curl>]
[-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]
[-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]
[-A string] [-k string] [-S <version>] [--sni] [--haproxy-protocol]
[-T <content-type>] [-j method]
[--http-version=<version>] [--enable-automatic-decompression]
[--cookie-jar=<cookie jar file>
check_curl -H <vhost> | -I <IP-address> -C <warn_age>[,<crit_age>]
[-p <port>] [-t <timeout>] [-4|-6] [--sni]
In the first form, make an HTTP request.
In the second form, connect to the server and check the TLS certificate.
WARNING: check_curl is experimental. Please use
check_http if you need a stable version.
NOTE: One or both of -H and -I must be specified
Options:
-h, --help
Print detailed help screen
-V, --version
Print version information
--extra-opts=[section][@file]
Read options from an ini file. See
https://www.monitoring-plugins.org/doc/extra-opts.html
for usage and examples.
-H, --hostname=ADDRESS
Host name argument for servers using host headers (virtual host)
Append a port to include it in the header (eg: example.com:5000)
-I, --IP-address=ADDRESS
IP address or name (use numeric address if possible to bypass DNS lookup).
-p, --port=INTEGER
Port number (default: 80)
-4, --use-ipv4
Use IPv4 connection
-6, --use-ipv6
Use IPv6 connection
-S, --ssl=VERSION[+]
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,
1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted.
Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl
--sni
Enable SSL/TLS hostname extension support (SNI)
Note: --sni is the default in libcurl as SSLv2 and SSLV3 are deprecated and
SNI only really works since TLSv1.0
-C, --certificate=INTEGER[,INTEGER]
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked by default. You can use
--continue-after-certificate to override this behavior)
--continue-after-certificate
Allows the HTTP check to continue after performing the certificate check.
Does nothing unless -C is used.
-J, --client-cert=FILE
Name of file that contains the client certificate (PEM format)
to be used in establishing the SSL session
-K, --private-key=FILE
Name of file containing the private key (PEM format)
matching the client certificate
--ca-cert=FILE
CA certificate file to verify peer against
-D, --verify-cert
Verify the peer's SSL certificate and hostname
-e, --expect=STRING
Comma-delimited list of strings, at least one of them is expected in
the first (status) line of the server response (default: HTTP/)
If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)
-d, --header-string=STRING
String to expect in the response headers
-s, --string=STRING
String to expect in the content
-u, --url=PATH
URL to GET or POST (default: /)
-P, --post=STRING
URL decoded http POST data
-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)
Set HTTP method.
-N, --no-body
Don't wait for document body: stop reading after headers.
(Note that this still does an HTTP GET or POST, not a HEAD.)
-M, --max-age=SECONDS
Warn if document is more than SECONDS old. the number can also be of
the form "10m" for minutes, "10h" for hours, or "10d" for days.
-T, --content-type=STRING
specify Content-Type header media type when POSTing
-l, --linespan
Allow regex to span newlines (must precede -r or -R)
-r, --regex, --ereg=STRING
Search page for regex STRING
-R, --eregi=STRING
Search page for case-insensitive regex STRING
--invert-regex
Return STATE if found, OK if not (STATE is CRITICAL, per default)
can be changed with --state--regex)
--regex-state=STATE
Return STATE if regex is found, OK if not
-a, --authorization=AUTH_PAIR
Username:password on sites with basic authentication
-b, --proxy-authorization=AUTH_PAIR
Username:password on proxy-servers with basic authentication
-A, --useragent=STRING
String to be sent in http header as "User Agent"
-k, --header=STRING
Any other tags to be sent in http header. Use multiple times for additional headers
-E, --extended-perfdata
Print additional performance data
-B, --show-body
Print body content below status line
-L, --link
Wrap output in HTML link (obsoleted by urlize)
-f, --onredirect=<ok|warning|critical|follow|sticky|stickyport|curl>
How to handle redirected pages. sticky is like follow but stick to the
specified IP address. stickyport also ensures port stays the same.
follow uses the old redirection algorithm of check_http.
curl uses CURL_FOLLOWLOCATION built into libcurl.
--max-redirs=INTEGER
Maximal number of redirects (default: 15)
-m, --pagesize=INTEGER<:INTEGER>
Minimum page size required (bytes) : Maximum page size required (bytes)
--http-version=VERSION
Connect via specific HTTP protocol.
1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)
--enable-automatic-decompression
Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING).
--haproxy-protocol
Send HAProxy proxy protocol v1 header (CURLOPT_HAPROXYPROTOCOL).
---cookie-jar=FILE
Store cookies in the cookie jar and send them out when requested.
-w, --warning=DOUBLE
Response time to result in warning status (seconds)
-c, --critical=DOUBLE
Response time to result in critical status (seconds)
-t, --timeout=INTEGER
Seconds before connection times out (default: 10)
-v, --verbose
Show details for command-line debugging (output may be truncated by
the monitoring system)
Notes:
This plugin will attempt to open an HTTP connection with the host.
Successful connects return STATE_OK, refusals and timeouts return STATE_CRITICAL
other errors return STATE_UNKNOWN. Successful connects, but incorrect response
messages from the host result in STATE_WARNING return values. If you are
checking a virtual server that uses 'host headers' you must supply the FQDN
(fully qualified domain name) as the [host_name] argument.
This plugin can also check whether an SSL enabled web server is able to
serve content (optionally within a specified time) or whether the X509
certificate is still valid for the specified number of days.
Please note that this plugin does not check if the presented server
certificate matches the hostname of the server, or if the certificate
has a valid chain of trust to one of the locally installed CAs.
Examples:
CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com
When the 'www.verisign.com' server returns its content within 5 seconds,
a STATE_OK will be returned. When the server returns its content but exceeds
the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,
a STATE_CRITICAL will be returned.
CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14
When the certificate of 'www.verisign.com' is valid for more than 14 days,
a STATE_OK is returned. When the certificate is still valid, but for less than
14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when
the certificate is expired.
CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14
When the certificate of 'www.verisign.com' is valid for more than 30 days,
a STATE_OK is returned. When the certificate is still valid, but for less than
30 days, but more than 14 days, a STATE_WARNING is returned.
A STATE_CRITICAL will be returned when certificate expires in less than 14 days
CHECK WEBSERVER CONTENT VIA PROXY:
It is recommended to use an environment proxy like:
http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org
legacy proxy requests in check_http style still work:
check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ -H www.monitoring-plugins.org
CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT:
It is recommended to use an environment proxy like:
https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S
legacy proxy requests in check_http style still work:
check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com
all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>
a STATE_OK will be returned. When the server returns its content but exceeds
the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,
a STATE_CRITICAL will be returned.
Send email to help@monitoring-plugins.org if you have questions regarding
use of this software. To submit patches or suggest improvements, send email
to devel@monitoring-plugins.org