summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSven Nierlein <sven@nierlein.org>2015-10-02 16:00:09 +0200
committerSven Nierlein <sven@nierlein.org>2015-10-02 16:00:09 +0200
commit7811f31018a9bb81bfb8e8995de366829b50e7b4 (patch)
treea62f113bce908d935b7db42baa612d0477639717
parentccae9fea1d90b11e1a7b5c7f8bfde1bd8d2f79c6 (diff)
parent342dd1b97fd3423cb6368fedbb6c729f3c3b6243 (diff)
downloadmonitoring-plugins-7811f31018a9bb81bfb8e8995de366829b50e7b4.tar.gz
Merge pull request #1349 from waja/check_http_ssl_via_proxy
check_http: Adding support for checking SSL-Websites through Proxies
-rw-r--r--plugins/check_http.c45
1 files changed, 41 insertions, 4 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 51679975..2437406f 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -875,11 +875,35 @@ check_http (void)
875 if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) 875 if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
876 die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); 876 die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
877 microsec_connect = deltime (tv_temp); 877 microsec_connect = deltime (tv_temp);
878
879 /* if we are called with the -I option, the -j method is CONNECT and */
880 /* we received -S for SSL, then we tunnel the request through a proxy*/
881 /* @20100414, public[at]frank4dd.com, http://www.frank4dd.com/howto */
882
883 if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
884 && host_name != NULL && use_ssl == TRUE) {
885
886 if (verbose) printf ("Entering CONNECT tunnel mode with proxy %s:%d to dst %s:%d\n", server_address, server_port, host_name, HTTPS_PORT);
887 asprintf (&buf, "%s %s:%d HTTP/1.1\r\n%s\r\n", http_method, host_name, HTTPS_PORT, user_agent);
888 asprintf (&buf, "%sProxy-Connection: keep-alive\r\n", buf);
889 asprintf (&buf, "%sHost: %s\r\n", buf, host_name);
890 /* we finished our request, send empty line with CRLF */
891 asprintf (&buf, "%s%s", buf, CRLF);
892 if (verbose) printf ("%s\n", buf);
893 send(sd, buf, strlen (buf), 0);
894 buf[0]='\0';
895
896 if (verbose) printf ("Receive response from proxy\n");
897 read (sd, buffer, MAX_INPUT_BUFFER-1);
898 if (verbose) printf ("%s", buffer);
899 /* Here we should check if we got HTTP/1.1 200 Connection established */
900 }
878#ifdef HAVE_SSL 901#ifdef HAVE_SSL
879 elapsed_time_connect = (double)microsec_connect / 1.0e6; 902 elapsed_time_connect = (double)microsec_connect / 1.0e6;
880 if (use_ssl == TRUE) { 903 if (use_ssl == TRUE) {
881 gettimeofday (&tv_temp, NULL); 904 gettimeofday (&tv_temp, NULL);
882 result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey); 905 result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);
906 if (verbose) printf ("SSL initialized\n");
883 if (result != STATE_OK) 907 if (result != STATE_OK)
884 die (STATE_CRITICAL, NULL); 908 die (STATE_CRITICAL, NULL);
885 microsec_ssl = deltime (tv_temp); 909 microsec_ssl = deltime (tv_temp);
@@ -893,7 +917,11 @@ check_http (void)
893 } 917 }
894#endif /* HAVE_SSL */ 918#endif /* HAVE_SSL */
895 919
896 xasprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent); 920 if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
921 && host_name != NULL && use_ssl == TRUE)
922 asprintf (&buf, "%s %s %s\r\n%s\r\n", "GET", server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
923 else
924 asprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
897 925
898 /* tell HTTP/1.1 servers not to keep the connection alive */ 926 /* tell HTTP/1.1 servers not to keep the connection alive */
899 xasprintf (&buf, "%sConnection: close\r\n", buf); 927 xasprintf (&buf, "%sConnection: close\r\n", buf);
@@ -906,7 +934,9 @@ check_http (void)
906 * (default) port is explicitly specified in the "Host:" header line. 934 * (default) port is explicitly specified in the "Host:" header line.
907 */ 935 */
908 if ((use_ssl == FALSE && server_port == HTTP_PORT) || 936 if ((use_ssl == FALSE && server_port == HTTP_PORT) ||
909 (use_ssl == TRUE && server_port == HTTPS_PORT)) 937 (use_ssl == TRUE && server_port == HTTPS_PORT) ||
938 ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
939 && host_name != NULL && use_ssl == TRUE))
910 xasprintf (&buf, "%sHost: %s\r\n", buf, host_name); 940 xasprintf (&buf, "%sHost: %s\r\n", buf, host_name);
911 else 941 else
912 xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port); 942 xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port);
@@ -1496,7 +1526,7 @@ print_help (void)
1496 printf (" %s\n", _("URL to GET or POST (default: /)")); 1526 printf (" %s\n", _("URL to GET or POST (default: /)"));
1497 printf (" %s\n", "-P, --post=STRING"); 1527 printf (" %s\n", "-P, --post=STRING");
1498 printf (" %s\n", _("URL encoded http POST data")); 1528 printf (" %s\n", _("URL encoded http POST data"));
1499 printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE)"); 1529 printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
1500 printf (" %s\n", _("Set HTTP method.")); 1530 printf (" %s\n", _("Set HTTP method."));
1501 printf (" %s\n", "-N, --no-body"); 1531 printf (" %s\n", "-N, --no-body");
1502 printf (" %s\n", _("Don't wait for document body: stop reading after headers.")); 1532 printf (" %s\n", _("Don't wait for document body: stop reading after headers."));
@@ -1570,7 +1600,7 @@ print_help (void)
1570 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); 1600 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
1571 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); 1601 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1572 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); 1602 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
1573 printf (" %s\n", _("the certificate is expired.")); 1603 printf (" %s\n\n", _("the certificate is expired."));
1574 printf ("\n"); 1604 printf ("\n");
1575 printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14"); 1605 printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
1576 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); 1606 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
@@ -1578,6 +1608,13 @@ print_help (void)
1578 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); 1608 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
1579 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); 1609 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
1580 1610
1611 printf (" %s\n\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
1612 printf (" %s\n", _("check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
1613 printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
1614 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
1615 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
1616 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
1617
1581#endif 1618#endif
1582 1619
1583 printf (UT_SUPPORT); 1620 printf (UT_SUPPORT);