diff options
Diffstat (limited to 'plugins/check_http.c')
-rw-r--r-- | plugins/check_http.c | 108 |
1 files changed, 87 insertions, 21 deletions
diff --git a/plugins/check_http.c b/plugins/check_http.c index 51679975..2038f4a1 100644 --- a/plugins/check_http.c +++ b/plugins/check_http.c | |||
@@ -267,11 +267,11 @@ process_arguments (int argc, char **argv) | |||
267 | break; | 267 | break; |
268 | case 'h': /* help */ | 268 | case 'h': /* help */ |
269 | print_help (); | 269 | print_help (); |
270 | exit (STATE_OK); | 270 | exit (STATE_UNKNOWN); |
271 | break; | 271 | break; |
272 | case 'V': /* version */ | 272 | case 'V': /* version */ |
273 | print_revision (progname, NP_VERSION); | 273 | print_revision (progname, NP_VERSION); |
274 | exit (STATE_OK); | 274 | exit (STATE_UNKNOWN); |
275 | break; | 275 | break; |
276 | case 't': /* timeout period */ | 276 | case 't': /* timeout period */ |
277 | if (!is_intnonneg (optarg)) | 277 | if (!is_intnonneg (optarg)) |
@@ -343,9 +343,20 @@ process_arguments (int argc, char **argv) | |||
343 | parameters, like -S and -C combinations */ | 343 | parameters, like -S and -C combinations */ |
344 | use_ssl = TRUE; | 344 | use_ssl = TRUE; |
345 | if (c=='S' && optarg != NULL) { | 345 | if (c=='S' && optarg != NULL) { |
346 | ssl_version = atoi(optarg); | 346 | int got_plus = strchr(optarg, '+') != NULL; |
347 | if (ssl_version < 1 || ssl_version > 3) | 347 | |
348 | usage4 (_("Invalid option - Valid values for SSL Version are 1 (TLSv1), 2 (SSLv2) or 3 (SSLv3)")); | 348 | if (!strncmp (optarg, "1.2", 3)) |
349 | ssl_version = got_plus ? MP_TLSv1_2_OR_NEWER : MP_TLSv1_2; | ||
350 | else if (!strncmp (optarg, "1.1", 3)) | ||
351 | ssl_version = got_plus ? MP_TLSv1_1_OR_NEWER : MP_TLSv1_1; | ||
352 | else if (optarg[0] == '1') | ||
353 | ssl_version = got_plus ? MP_TLSv1_OR_NEWER : MP_TLSv1; | ||
354 | else if (optarg[0] == '3') | ||
355 | ssl_version = got_plus ? MP_SSLv3_OR_NEWER : MP_SSLv3; | ||
356 | else if (optarg[0] == '2') | ||
357 | ssl_version = got_plus ? MP_SSLv2_OR_NEWER : MP_SSLv2; | ||
358 | else | ||
359 | usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)")); | ||
349 | } | 360 | } |
350 | if (specify_port == FALSE) | 361 | if (specify_port == FALSE) |
351 | server_port = HTTPS_PORT; | 362 | server_port = HTTPS_PORT; |
@@ -869,17 +880,42 @@ check_http (void) | |||
869 | double elapsed_time_transfer = 0.0; | 880 | double elapsed_time_transfer = 0.0; |
870 | int page_len = 0; | 881 | int page_len = 0; |
871 | int result = STATE_OK; | 882 | int result = STATE_OK; |
883 | char *force_host_header = NULL; | ||
872 | 884 | ||
873 | /* try to connect to the host at the given port number */ | 885 | /* try to connect to the host at the given port number */ |
874 | gettimeofday (&tv_temp, NULL); | 886 | gettimeofday (&tv_temp, NULL); |
875 | if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) | 887 | if (my_tcp_connect (server_address, server_port, &sd) != STATE_OK) |
876 | die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); | 888 | die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n")); |
877 | microsec_connect = deltime (tv_temp); | 889 | microsec_connect = deltime (tv_temp); |
890 | |||
891 | /* if we are called with the -I option, the -j method is CONNECT and */ | ||
892 | /* we received -S for SSL, then we tunnel the request through a proxy*/ | ||
893 | /* @20100414, public[at]frank4dd.com, http://www.frank4dd.com/howto */ | ||
894 | |||
895 | if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0 | ||
896 | && host_name != NULL && use_ssl == TRUE) { | ||
897 | |||
898 | if (verbose) printf ("Entering CONNECT tunnel mode with proxy %s:%d to dst %s:%d\n", server_address, server_port, host_name, HTTPS_PORT); | ||
899 | asprintf (&buf, "%s %s:%d HTTP/1.1\r\n%s\r\n", http_method, host_name, HTTPS_PORT, user_agent); | ||
900 | asprintf (&buf, "%sProxy-Connection: keep-alive\r\n", buf); | ||
901 | asprintf (&buf, "%sHost: %s\r\n", buf, host_name); | ||
902 | /* we finished our request, send empty line with CRLF */ | ||
903 | asprintf (&buf, "%s%s", buf, CRLF); | ||
904 | if (verbose) printf ("%s\n", buf); | ||
905 | send(sd, buf, strlen (buf), 0); | ||
906 | buf[0]='\0'; | ||
907 | |||
908 | if (verbose) printf ("Receive response from proxy\n"); | ||
909 | read (sd, buffer, MAX_INPUT_BUFFER-1); | ||
910 | if (verbose) printf ("%s", buffer); | ||
911 | /* Here we should check if we got HTTP/1.1 200 Connection established */ | ||
912 | } | ||
878 | #ifdef HAVE_SSL | 913 | #ifdef HAVE_SSL |
879 | elapsed_time_connect = (double)microsec_connect / 1.0e6; | 914 | elapsed_time_connect = (double)microsec_connect / 1.0e6; |
880 | if (use_ssl == TRUE) { | 915 | if (use_ssl == TRUE) { |
881 | gettimeofday (&tv_temp, NULL); | 916 | gettimeofday (&tv_temp, NULL); |
882 | result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey); | 917 | result = np_net_ssl_init_with_hostname_version_and_cert(sd, (use_sni ? host_name : NULL), ssl_version, client_cert, client_privkey); |
918 | if (verbose) printf ("SSL initialized\n"); | ||
883 | if (result != STATE_OK) | 919 | if (result != STATE_OK) |
884 | die (STATE_CRITICAL, NULL); | 920 | die (STATE_CRITICAL, NULL); |
885 | microsec_ssl = deltime (tv_temp); | 921 | microsec_ssl = deltime (tv_temp); |
@@ -893,29 +929,51 @@ check_http (void) | |||
893 | } | 929 | } |
894 | #endif /* HAVE_SSL */ | 930 | #endif /* HAVE_SSL */ |
895 | 931 | ||
896 | xasprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent); | 932 | if ( server_address != NULL && strcmp(http_method, "CONNECT") == 0 |
933 | && host_name != NULL && use_ssl == TRUE) | ||
934 | asprintf (&buf, "%s %s %s\r\n%s\r\n", "GET", server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent); | ||
935 | else | ||
936 | asprintf (&buf, "%s %s %s\r\n%s\r\n", http_method, server_url, host_name ? "HTTP/1.1" : "HTTP/1.0", user_agent); | ||
897 | 937 | ||
898 | /* tell HTTP/1.1 servers not to keep the connection alive */ | 938 | /* tell HTTP/1.1 servers not to keep the connection alive */ |
899 | xasprintf (&buf, "%sConnection: close\r\n", buf); | 939 | xasprintf (&buf, "%sConnection: close\r\n", buf); |
900 | 940 | ||
941 | /* check if Host header is explicitly set in options */ | ||
942 | if (http_opt_headers_count) { | ||
943 | for (i = 0; i < http_opt_headers_count ; i++) { | ||
944 | if (strncmp(http_opt_headers[i], "Host:", 5) == 0) { | ||
945 | force_host_header = http_opt_headers[i]; | ||
946 | } | ||
947 | } | ||
948 | } | ||
949 | |||
901 | /* optionally send the host header info */ | 950 | /* optionally send the host header info */ |
902 | if (host_name) { | 951 | if (host_name) { |
903 | /* | 952 | if (force_host_header) { |
904 | * Specify the port only if we're using a non-default port (see RFC 2616, | 953 | xasprintf (&buf, "%s%s\r\n", buf, force_host_header); |
905 | * 14.23). Some server applications/configurations cause trouble if the | 954 | } |
906 | * (default) port is explicitly specified in the "Host:" header line. | 955 | else { |
907 | */ | 956 | /* |
908 | if ((use_ssl == FALSE && server_port == HTTP_PORT) || | 957 | * Specify the port only if we're using a non-default port (see RFC 2616, |
909 | (use_ssl == TRUE && server_port == HTTPS_PORT)) | 958 | * 14.23). Some server applications/configurations cause trouble if the |
910 | xasprintf (&buf, "%sHost: %s\r\n", buf, host_name); | 959 | * (default) port is explicitly specified in the "Host:" header line. |
911 | else | 960 | */ |
912 | xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port); | 961 | if ((use_ssl == FALSE && server_port == HTTP_PORT) || |
962 | (use_ssl == TRUE && server_port == HTTPS_PORT) || | ||
963 | (server_address != NULL && strcmp(http_method, "CONNECT") == 0 | ||
964 | && host_name != NULL && use_ssl == TRUE)) | ||
965 | xasprintf (&buf, "%sHost: %s\r\n", buf, host_name); | ||
966 | else | ||
967 | xasprintf (&buf, "%sHost: %s:%d\r\n", buf, host_name, server_port); | ||
968 | } | ||
913 | } | 969 | } |
914 | 970 | ||
915 | /* optionally send any other header tag */ | 971 | /* optionally send any other header tag */ |
916 | if (http_opt_headers_count) { | 972 | if (http_opt_headers_count) { |
917 | for (i = 0; i < http_opt_headers_count ; i++) { | 973 | for (i = 0; i < http_opt_headers_count ; i++) { |
918 | xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]); | 974 | if (force_host_header != http_opt_headers[i]) { |
975 | xasprintf (&buf, "%s%s\r\n", buf, http_opt_headers[i]); | ||
976 | } | ||
919 | } | 977 | } |
920 | /* This cannot be free'd here because a redirection will then try to access this and segfault */ | 978 | /* This cannot be free'd here because a redirection will then try to access this and segfault */ |
921 | /* Covered in a testcase in tests/check_http.t */ | 979 | /* Covered in a testcase in tests/check_http.t */ |
@@ -1467,9 +1525,10 @@ print_help (void) | |||
1467 | printf (UT_IPv46); | 1525 | printf (UT_IPv46); |
1468 | 1526 | ||
1469 | #ifdef HAVE_SSL | 1527 | #ifdef HAVE_SSL |
1470 | printf (" %s\n", "-S, --ssl=VERSION"); | 1528 | printf (" %s\n", "-S, --ssl=VERSION[+]"); |
1471 | printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); | 1529 | printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); |
1472 | printf (" %s\n", _("auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).")); | 1530 | printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,")); |
1531 | printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.")); | ||
1473 | printf (" %s\n", "--sni"); | 1532 | printf (" %s\n", "--sni"); |
1474 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); | 1533 | printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); |
1475 | printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); | 1534 | printf (" %s\n", "-C, --certificate=INTEGER[,INTEGER]"); |
@@ -1496,7 +1555,7 @@ print_help (void) | |||
1496 | printf (" %s\n", _("URL to GET or POST (default: /)")); | 1555 | printf (" %s\n", _("URL to GET or POST (default: /)")); |
1497 | printf (" %s\n", "-P, --post=STRING"); | 1556 | printf (" %s\n", "-P, --post=STRING"); |
1498 | printf (" %s\n", _("URL encoded http POST data")); | 1557 | printf (" %s\n", _("URL encoded http POST data")); |
1499 | printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE)"); | 1558 | printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)"); |
1500 | printf (" %s\n", _("Set HTTP method.")); | 1559 | printf (" %s\n", _("Set HTTP method.")); |
1501 | printf (" %s\n", "-N, --no-body"); | 1560 | printf (" %s\n", "-N, --no-body"); |
1502 | printf (" %s\n", _("Don't wait for document body: stop reading after headers.")); | 1561 | printf (" %s\n", _("Don't wait for document body: stop reading after headers.")); |
@@ -1570,7 +1629,7 @@ print_help (void) | |||
1570 | printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); | 1629 | printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); |
1571 | printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); | 1630 | printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); |
1572 | printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); | 1631 | printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); |
1573 | printf (" %s\n", _("the certificate is expired.")); | 1632 | printf (" %s\n\n", _("the certificate is expired.")); |
1574 | printf ("\n"); | 1633 | printf ("\n"); |
1575 | printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14"); | 1634 | printf (" %s\n\n", "CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14"); |
1576 | printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); | 1635 | printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); |
@@ -1578,6 +1637,13 @@ print_help (void) | |||
1578 | printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); | 1637 | printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); |
1579 | printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); | 1638 | printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); |
1580 | 1639 | ||
1640 | printf (" %s\n\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: "); | ||
1641 | printf (" %s\n", _("check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com ")); | ||
1642 | printf (" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>")); | ||
1643 | printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds")); | ||
1644 | printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); | ||
1645 | printf (" %s\n", _("a STATE_CRITICAL will be returned.")); | ||
1646 | |||
1581 | #endif | 1647 | #endif |
1582 | 1648 | ||
1583 | printf (UT_SUPPORT); | 1649 | printf (UT_SUPPORT); |