summaryrefslogtreecommitdiffstats
path: root/plugins/check_http.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/check_http.c')
-rw-r--r--plugins/check_http.c108
1 files changed, 87 insertions, 21 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c
index 51679975..2038f4a1 100644
--- a/plugins/check_http.c
+++ b/plugins/check_http.c
@@ -267,11 +267,11 @@ process_arguments (int argc, char **argv)
267 break; 267 break;
268 case 'h': /* help */ 268 case 'h': /* help */
269 print_help (); 269 print_help ();
270 exit (STATE_OK); 270 exit (STATE_UNKNOWN);
271 break; 271 break;
272 case 'V': /* version */ 272 case 'V': /* version */
273 print_revision (progname, NP_VERSION); 273 print_revision (progname, NP_VERSION);
274 exit (STATE_OK); 274 exit (STATE_UNKNOWN);
275 break; 275 break;
276 case 't': /* timeout period */ 276 case 't': /* timeout period */
277 if (!is_intnonneg (optarg)) 277 if (!is_intnonneg (optarg))
@@ -343,9 +343,20 @@ process_arguments (int argc, char **argv)
343 parameters, like -S and -C combinations */ 343 parameters, like -S and -C combinations */
344 use_ssl = TRUE; 344 use_ssl = TRUE;
345 if (c=='S' && optarg != NULL) { 345 if (c=='S' && optarg != NULL) {
346 ssl_version = atoi(optarg); 346 int got_plus = strchr(optarg, '+') != NULL;
347 if (ssl_version < 1 || ssl_version > 3) 347
348 usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)")); 348 if (!strncmp (optarg, "1.2", 3))
349 ssl_version = got_plus ? MP_TLSv1_2_OR_NEWER : MP_TLSv1_2;
350 else if (!strncmp (optarg, "1.1", 3))
351 ssl_version = got_plus ? MP_TLSv1_1_OR_NEWER : MP_TLSv1_1;
352 else if (optarg[0] == '1')
353 ssl_version = got_plus ? MP_TLSv1_OR_NEWER : MP_TLSv1;
354 else if (optarg[0] == '3')
355 ssl_version = got_plus ? MP_SSLv3_OR_NEWER : MP_SSLv3;
356 else if (optarg[0] == '2')
357 ssl_version = got_plus ? MP_SSLv2_OR_NEWER : MP_SSLv2;
358 else
359 usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)"));
349 } 360 }
350 if (specify_port == FALSE) 361 if (specify_port == FALSE)
351 server_port = HTTPS_PORT; 362 server_port = HTTPS_PORT;
@@ -869,17 +880,42 @@ check_http (void)
869 double elapsed_time_transfer = 0.0; 880 double elapsed_time_transfer = 0.0;
870 int page_len = 0; 881 int page_len = 0;
871 int result = STATE_OK; 882 int result = STATE_OK;
883 char *force_host_header = NULL;
872 884
873 /* try to connect to the host at the given port number */ 885 /* try to connect to the host at the given port number */
874 gettimeofday (&tv_temp, NULL); 886 gettimeofday (&tv_temp, NULL);
875 if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) 887 if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK)
876 die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); 888 die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
877 microsec_connect = deltime (tv_temp); 889 microsec_connect = deltime (tv_temp);
890
891 /* if we are called with the -I option, the -j method is CONNECT and */
892 /* we received -S for SSL, then we tunnel the request through a proxy*/
893 /* @20100414, public[at]frank4dd.com, http://www.frank4dd.com/howto */
894
895 if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
896 && host_name != NULL && use_ssl == TRUE) {
897
898 if (verbose) printf ("Entering CONNECT tunnel mode with proxy %s:%d to dst %s:%d\n", server_address, server_port, host_name, HTTPS_PORT);
899 asprintf (&buf, "%s %s:%d HTTP/1.1\r\n%s\r\n", http_method, host_name, HTTPS_PORT, user_agent);
900 asprintf (&buf, "%sProxy-Connection: keep-alive\r\n", buf);
901 asprintf (&buf, "%sHost: %s\r\n", buf, host_name);
902 /* we finished our request, send empty line with CRLF */
903 asprintf (&buf, "%s%s", buf, CRLF);
904 if (verbose) printf ("%s\n", buf);
905 send(sd, buf, strlen (buf), 0);
906 buf[0]='\0';
907
908 if (verbose) printf ("Receive response from proxy\n");
909 read (sd, buffer, MAX_INPUT_BUFFER-1);
910 if (verbose) printf ("%s", buffer);
911 /* Here we should check if we got HTTP/1.1 200 Connection established */
912 }
878#ifdef HAVE_SSL 913#ifdef HAVE_SSL
879 elapsed_time_connect = (double)microsec_connect / 1.0e6; 914 elapsed_time_connect = (double)microsec_connect / 1.0e6;
880 if (use_ssl == TRUE) { 915 if (use_ssl == TRUE) {
881 gettimeofday (&tv_temp, NULL); 916 gettimeofday (&tv_temp, NULL);
882 result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey); 917 result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey);
918 if (verbose) printf ("SSL initialized\n");
883 if (result != STATE_OK) 919 if (result != STATE_OK)
884 die (STATE_CRITICAL, NULL); 920 die (STATE_CRITICAL, NULL);
885 microsec_ssl = deltime (tv_temp); 921 microsec_ssl = deltime (tv_temp);
@@ -893,29 +929,51 @@ check_http (void)
893 } 929 }
894#endif /* HAVE_SSL */ 930#endif /* HAVE_SSL */
895 931
896 xasprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent); 932 if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0
933 && host_name != NULL && use_ssl == TRUE)
934 asprintf (&buf, "%s %s %s\r\n%s\r\n", "GET", server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
935 else
936 asprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent);
897 937
898 /* tell HTTP/1.1 servers not to keep the connection alive */ 938 /* tell HTTP/1.1 servers not to keep the connection alive */
899 xasprintf (&buf, "%sConnection: close\r\n", buf); 939 xasprintf (&buf, "%sConnection: close\r\n", buf);
900 940
941 /* check if Host header is explicitly set in options */
942 if (http_opt_headers_count) {
943 for (i = 0; i < http_opt_headers_count ; i++) {
944 if (strncmp(http_opt_headers[i], "Host:", 5) == 0) {
945 force_host_header = http_opt_headers[i];
946 }
947 }
948 }
949
901 /* optionally send the host header info */ 950 /* optionally send the host header info */
902 if (host_name) { 951 if (host_name) {
903 /* 952 if (force_host_header) {
904 * Specify the port only if we're using a non-default port (see RFC 2616, 953 xasprintf (&buf, "%s%s\r\n", buf, force_host_header);
905 * 14.23). Some server applications/configurations cause trouble if the 954 }
906 * (default) port is explicitly specified in the "Host:" header line. 955 else {
907 */ 956 /*
908 if ((use_ssl == FALSE && server_port == HTTP_PORT) || 957 * Specify the port only if we're using a non-default port (see RFC 2616,
909 (use_ssl == TRUE && server_port == HTTPS_PORT)) 958 * 14.23). Some server applications/configurations cause trouble if the
910 xasprintf (&buf, "%sHost: %s\r\n", buf, host_name); 959 * (default) port is explicitly specified in the "Host:" header line.
911 else 960 */
912 xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port); 961 if ((use_ssl == FALSE && server_port == HTTP_PORT) ||
962 (use_ssl == TRUE && server_port == HTTPS_PORT) ||
963 (server_address != NULL && strcmp(http_method, "CONNECT") == 0
964 && host_name != NULL && use_ssl == TRUE))
965 xasprintf (&buf, "%sHost: %s\r\n", buf, host_name);
966 else
967 xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port);
968 }
913 } 969 }
914 970
915 /* optionally send any other header tag */ 971 /* optionally send any other header tag */
916 if (http_opt_headers_count) { 972 if (http_opt_headers_count) {
917 for (i = 0; i < http_opt_headers_count ; i++) { 973 for (i = 0; i < http_opt_headers_count ; i++) {
918 xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]); 974 if (force_host_header != http_opt_headers[i]) {
975 xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]);
976 }
919 } 977 }
920 /* This cannot be free'd here because a redirection will then try to access this and segfault */ 978 /* This cannot be free'd here because a redirection will then try to access this and segfault */
921 /* Covered in a testcase in tests/check_http.t */ 979 /* Covered in a testcase in tests/check_http.t */
@@ -1467,9 +1525,10 @@ print_help (void)
1467 printf (UT_IPv46); 1525 printf (UT_IPv46);
1468 1526
1469#ifdef HAVE_SSL 1527#ifdef HAVE_SSL
1470 printf (" %s\n", "-S, --ssl=VERSION"); 1528 printf (" %s\n", "-S, --ssl=VERSION[+]");
1471 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); 1529 printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents"));
1472 printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).")); 1530 printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,"));
1531 printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted."));
1473 printf (" %s\n", "--sni"); 1532 printf (" %s\n", "--sni");
1474 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); 1533 printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)"));
1475 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); 1534 printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]");
@@ -1496,7 +1555,7 @@ print_help (void)
1496 printf (" %s\n", _("URL to GET or POST (default: /)")); 1555 printf (" %s\n", _("URL to GET or POST (default: /)"));
1497 printf (" %s\n", "-P, --post=STRING"); 1556 printf (" %s\n", "-P, --post=STRING");
1498 printf (" %s\n", _("URL encoded http POST data")); 1557 printf (" %s\n", _("URL encoded http POST data"));
1499 printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE)"); 1558 printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)");
1500 printf (" %s\n", _("Set HTTP method.")); 1559 printf (" %s\n", _("Set HTTP method."));
1501 printf (" %s\n", "-N, --no-body"); 1560 printf (" %s\n", "-N, --no-body");
1502 printf (" %s\n", _("Don't wait for document body: stop reading after headers.")); 1561 printf (" %s\n", _("Don't wait for document body: stop reading after headers."));
@@ -1570,7 +1629,7 @@ print_help (void)
1570 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); 1629 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
1571 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); 1630 printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1572 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); 1631 printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
1573 printf (" %s\n", _("the certificate is expired.")); 1632 printf (" %s\n\n", _("the certificate is expired."));
1574 printf ("\n"); 1633 printf ("\n");
1575 printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14"); 1634 printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14");
1576 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); 1635 printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
@@ -1578,6 +1637,13 @@ print_help (void)
1578 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); 1637 printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned."));
1579 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); 1638 printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days"));
1580 1639
1640 printf (" %s\n\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: ");
1641 printf (" %s\n", _("check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com "));
1642 printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>"));
1643 printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds"));
1644 printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
1645 printf (" %s\n", _("a STATE_CRITICAL will be returned."));
1646
1581#endif 1647#endif
1582 1648
1583 printf (UT_SUPPORT); 1649 printf (UT_SUPPORT);