/***************************************************************************** * * Monitoring check_curl plugin * * License: GPL * Copyright (c) 1999-2017 Monitoring Plugins Development Team * * Description: * * This file contains the check_curl plugin * * This plugin tests the HTTP service on the specified host. It can test * normal (http) and secure (https) servers, follow redirects, search for * strings and regular expressions, check connection times, and report on * certificate expiration times. * * This plugin uses functions from the curl library, see * http://curl.haxx.se * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * *****************************************************************************/ const char *progname = "check_curl"; const char *copyright = "2006-2017"; const char *email = "devel@monitoring-plugins.org"; #include "common.h" #include "utils.h" #ifndef LIBCURL_PROTOCOL_HTTP #error libcurl compiled without HTTP support, compiling check_curl plugin makes not much sense #endif #include "curl/curl.h" #include "curl/easy.h" #define DEFAULT_BUFFER_SIZE 2048 #define DEFAULT_SERVER_URL "/" #define HTTP_EXPECT "HTTP/1." enum { HTTP_PORT = 80, HTTPS_PORT = 443, MAX_PORT = 65535 }; /* for buffers for header and body */ typedef struct { char *buf; size_t buflen; size_t bufsize; } curlhelp_curlbuf; /* for parsing the HTTP status line */ typedef struct { int http_major; /* major version of the protocol, always 1 (HTTP/0.9 * never reached the big internet most likely) */ int http_minor; /* minor version of the protocol, usually 0 or 1 */ int http_code; /* HTTP return code as in RFC 2145 */ int http_subcode; /* Microsoft IIS extension, HTTP subcodes, see * http://support.microsoft.com/kb/318380/en-us */ char *msg; /* the human readable message */ char *first_line; /* a copy of the first line */ } curlhelp_statusline; enum { REGS = 2, MAX_RE_SIZE = 256 }; #include "regex.h" regex_t preg; regmatch_t pmatch[REGS]; char regexp[MAX_RE_SIZE]; int cflags = REG_NOSUB | REG_EXTENDED | REG_NEWLINE; int errcode; int invert_regex = 0; char *server_address; char *host_name; char *server_url = DEFAULT_SERVER_URL; unsigned short server_port = HTTP_PORT; int virtual_port = 0; int host_name_length; char output_string_search[30] = ""; char *warning_thresholds = NULL; char *critical_thresholds = NULL; int days_till_exp_warn, days_till_exp_crit; thresholds *thlds; char user_agent[DEFAULT_BUFFER_SIZE]; int verbose = 0; int show_extended_perfdata = FALSE; int min_page_len = 0; int max_page_len = 0; char *http_method = NULL; CURL *curl; struct curl_slist *header_list = NULL; curlhelp_curlbuf body_buf; curlhelp_curlbuf header_buf; curlhelp_statusline status_line; char http_header[DEFAULT_BUFFER_SIZE]; long code; long socket_timeout = DEFAULT_SOCKET_TIMEOUT; double total_time; double time_connect; double time_appconnect; double time_headers; double time_firstbyte; char errbuf[CURL_ERROR_SIZE+1]; CURLcode res; char url[DEFAULT_BUFFER_SIZE]; char msg[DEFAULT_BUFFER_SIZE]; char perfstring[DEFAULT_BUFFER_SIZE]; char string_expect[MAX_INPUT_BUFFER] = ""; char server_expect[MAX_INPUT_BUFFER] = HTTP_EXPECT; int server_expect_yn = 0; char user_auth[MAX_INPUT_BUFFER] = ""; int onredirect = STATE_OK; int use_ssl = FALSE; int use_sni = TRUE; int check_cert = FALSE; int ssl_version = CURL_SSLVERSION_DEFAULT; char *client_cert = NULL; char *client_privkey = NULL; char *ca_cert = NULL; X509 *cert = NULL; int no_body = FALSE; int address_family = AF_UNSPEC; int process_arguments (int, char**); int check_http (void); void print_help (void); void print_usage (void); void print_curl_version (void); int curlhelp_initbuffer (curlhelp_curlbuf*); int curlhelp_buffer_callback (void*, size_t , size_t , void*); void curlhelp_freebuffer (curlhelp_curlbuf*); int curlhelp_parse_statusline (const char*, curlhelp_statusline *); void curlhelp_free_statusline (curlhelp_statusline *); char *perfd_time_ssl (double microsec); void remove_newlines (char *); void test_file (char *); int main (int argc, char **argv) { int result = STATE_UNKNOWN; setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); /* Parse extra opts if any */ argv = np_extra_opts (&argc, argv, progname); /* set defaults */ snprintf( user_agent, DEFAULT_BUFFER_SIZE, "%s/v%s (monitoring-plugins %s)", progname, NP_VERSION, VERSION); /* parse arguments */ if (process_arguments (argc, argv) == ERROR) usage4 (_("Could not parse arguments")); result = check_http (); return result; } int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) { cert = X509_STORE_CTX_get_current_cert(x509_ctx); return 1; } CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) { SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, verify_callback); return CURLE_OK; } /* Checks if the server 'reply' is one of the expected 'statuscodes' */ static int expected_statuscode (const char *reply, const char *statuscodes) { char *expected, *code; int result = 0; if ((expected = strdup (statuscodes)) == NULL) die (STATE_UNKNOWN, _("HTTP UNKNOWN - Memory allocation error\n")); for (code = strtok (expected, ","); code != NULL; code = strtok (NULL, ",")) if (strstr (reply, code) != NULL) { result = 1; break; } free (expected); return result; } int check_http (void) { int result = STATE_OK; int page_len = 0; /* initialize curl */ if (curl_global_init (CURL_GLOBAL_DEFAULT) != CURLE_OK) die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_global_init failed\n"); if ((curl = curl_easy_init()) == NULL) die (STATE_UNKNOWN, "HTTP UNKNOWN - curl_easy_init failed\n"); if (verbose >= 1) curl_easy_setopt (curl, CURLOPT_VERBOSE, TRUE); /* print everything on stdout like check_http would do */ curl_easy_setopt(curl, CURLOPT_STDERR, stdout); /* initialize buffer for body of the answer */ if (curlhelp_initbuffer(&body_buf) < 0) die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for body\n"); curl_easy_setopt (curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)curlhelp_buffer_callback); curl_easy_setopt (curl, CURLOPT_WRITEDATA, (void *)&body_buf); /* initialize buffer for header of the answer */ if (curlhelp_initbuffer( &header_buf ) < 0) die (STATE_UNKNOWN, "HTTP CRITICAL - out of memory allocating buffer for header\n" ); curl_easy_setopt (curl, CURLOPT_HEADERFUNCTION, (curl_write_callback)curlhelp_buffer_callback); curl_easy_setopt (curl, CURLOPT_WRITEHEADER, (void *)&header_buf); /* set the error buffer */ curl_easy_setopt (curl, CURLOPT_ERRORBUFFER, errbuf); /* set timeouts */ curl_easy_setopt (curl, CURLOPT_CONNECTTIMEOUT, socket_timeout); curl_easy_setopt (curl, CURLOPT_TIMEOUT, socket_timeout); /* compose URL */ snprintf (url, DEFAULT_BUFFER_SIZE, "%s://%s%s", use_ssl ? "https" : "http", server_address, server_url); curl_easy_setopt (curl, CURLOPT_URL, url); /* set port */ curl_easy_setopt (curl, CURLOPT_PORT, server_port); /* set HTTP method */ if (http_method) { if (!strcmp(http_method, "POST")) curl_easy_setopt (curl, CURLOPT_POST, 1); else if (!strcmp(http_method, "PUT")) curl_easy_setopt (curl, CURLOPT_PUT, 1); else curl_easy_setopt (curl, CURLOPT_CUSTOMREQUEST, http_method); } /* set hostname (virtual hosts) */ if(host_name != NULL) { if((virtual_port != HTTP_PORT && !use_ssl) || (virtual_port != HTTPS_PORT && use_ssl)) { snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s:%d", host_name, virtual_port); } else { snprintf(http_header, DEFAULT_BUFFER_SIZE, "Host: %s", host_name); } header_list = curl_slist_append (header_list, http_header); } /* always close connection, be nice to servers */ snprintf (http_header, DEFAULT_BUFFER_SIZE, "Connection: close"); header_list = curl_slist_append (header_list, http_header); /* set HTTP headers */ curl_easy_setopt( curl, CURLOPT_HTTPHEADER, header_list ); /* set SSL version, warn about unsecure or unsupported versions */ if (use_ssl) { curl_easy_setopt (curl, CURLOPT_SSLVERSION, ssl_version); } /* client certificate and key to present to server (SSL) */ if (client_cert) curl_easy_setopt (curl, CURLOPT_SSLCERT, client_cert); if (client_privkey) curl_easy_setopt (curl, CURLOPT_SSLKEY, client_privkey); if (ca_cert) curl_easy_setopt (curl, CURLOPT_CAINFO, ca_cert); /* per default if we have a CA verify both the peer and the * hostname in the certificate, can be switched off later */ curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 2); curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 2); /* backward-compatible behaviour, be tolerant in checks * TODO: depending on more options have aspects we want * to be less tolerant about ssl verfications */ curl_easy_setopt (curl, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt (curl, CURLOPT_SSL_VERIFYHOST, 0); /* set callback to extract certificate */ if(check_cert) { curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctxfun); } /* set default or user-given user agent identification */ curl_easy_setopt (curl, CURLOPT_USERAGENT, user_agent); /* authentication */ if (strcmp(user_auth, "")) curl_easy_setopt (curl, CURLOPT_USERPWD, user_auth); /* TODO: parameter auth method, bitfield of following methods: * CURLAUTH_BASIC (default) * CURLAUTH_DIGEST * CURLAUTH_DIGEST_IE * CURLAUTH_NEGOTIATE * CURLAUTH_NTLM * CURLAUTH_NTLM_WB * * convenience tokens for typical sets of methods: * CURLAUTH_ANYSAFE: most secure, without BASIC * or CURLAUTH_ANY: most secure, even BASIC if necessary * * curl_easy_setopt( curl, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST ); */ /* TODO: --cacert: CA certificate file to verify SSL connection against (SSL) */ /* if( args_info.cacert_given ) { curl_easy_setopt( curl, CURLOPT_CAINFO, args_info.cacert_arg ); } */ /* handle redirections */ if (onredirect == STATE_DEPENDENT) { curl_easy_setopt (curl, CURLOPT_FOLLOWLOCATION, 1); /* TODO: handle the following aspects of redirection CURLOPT_POSTREDIR: method switch CURLINFO_REDIRECT_URL: custom redirect option CURLOPT_REDIRECT_PROTOCOLS CURLINFO_REDIRECT_COUNT */ } /* no-body */ if (no_body) curl_easy_setopt (curl, CURLOPT_NOBODY, 1); /* IPv4 or IPv6 forced DNS resolution */ if (address_family == AF_UNSPEC) curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_WHATEVER); else if (address_family == AF_INET) curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); else if (address_family == AF_INET6) curl_easy_setopt (curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6); /* do the request */ res = curl_easy_perform(curl); /* free header list, we don't need it anymore */ curl_slist_free_all(header_list); /* Curl errors, result in critical Nagios state */ if (res != CURLE_OK) { remove_newlines (errbuf); snprintf (msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: cURL returned %d - %s\n"), server_port, res, curl_easy_strerror(res)); die (STATE_CRITICAL, "HTTP CRITICAL - %s\n", msg); } /* certificate checks */ #ifdef HAVE_SSL if (use_ssl == TRUE) { if (check_cert == TRUE) { result = np_net_ssl_check_certificate(cert, days_till_exp_warn, days_till_exp_crit); return(result); } } #endif /* HAVE_SSL */ /* we got the data and we executed the request in a given time, so we can append * performance data to the answer always */ curl_easy_getinfo (curl, CURLINFO_TOTAL_TIME, &total_time); if(show_extended_perfdata) { curl_easy_getinfo(curl, CURLINFO_CONNECT_TIME, &time_connect); curl_easy_getinfo(curl, CURLINFO_APPCONNECT_TIME, &time_appconnect); curl_easy_getinfo(curl, CURLINFO_PRETRANSFER_TIME, &time_headers); curl_easy_getinfo(curl, CURLINFO_STARTTRANSFER_TIME, &time_firstbyte); snprintf(perfstring, DEFAULT_BUFFER_SIZE, "time=%.6gs;%.6g;%.6g;; size=%dB;;; time_connect=%.6gs;;;; %s time_headers=%.6gs;;;; time_firstbyte=%.6gs;;;; time_transfer=%.6gs;;;;", total_time, warning_thresholds != NULL ? (double)thlds->warning->end : 0.0, critical_thresholds != NULL ? (double)thlds->critical->end : 0.0, (int)body_buf.buflen, time_connect, use_ssl == TRUE ? perfd_time_ssl(time_appconnect-time_connect) : "", (time_headers - time_appconnect), (time_firstbyte - time_headers), (total_time-time_firstbyte) ); } else { snprintf(perfstring, DEFAULT_BUFFER_SIZE, "time=%.6gs;%.6g;%.6g;; size=%dB;;;", total_time, warning_thresholds != NULL ? (double)thlds->warning->end : 0.0, critical_thresholds != NULL ? (double)thlds->critical->end : 0.0, (int)body_buf.buflen); } /* return a CRITICAL status if we couldn't read any data */ if (strlen(header_buf.buf) == 0 && strlen(body_buf.buf) == 0) die (STATE_CRITICAL, _("HTTP CRITICAL - No header received from host\n")); /* get status line of answer, check sanity of HTTP code */ if (curlhelp_parse_statusline (header_buf.buf, &status_line) < 0) { snprintf (msg, DEFAULT_BUFFER_SIZE, "Unparseable status line in %.3g seconds response time|%s\n", code, total_time, perfstring); die (STATE_CRITICAL, "HTTP CRITICAL HTTP/1.x %d unknown - %s", code, msg); } /* get result code from cURL */ curl_easy_getinfo (curl, CURLINFO_RESPONSE_CODE, &code); if (verbose>=2) printf ("* curl CURLINFO_RESPONSE_CODE is %d\n", code); /* print status line, header, body if verbose */ if (verbose >= 2) { printf ("**** HEADER ****\n%s\n**** CONTENT ****\n%s\n", header_buf.buf, (no_body ? " [[ skipped ]]" : body_buf.buf)); } /* make sure the status line matches the response we are looking for */ if (!expected_statuscode(header_buf.buf, server_expect)) { /* TODO: fix first_line being cut off */ if (server_port == HTTP_PORT) snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host: %s\n"), status_line.first_line); else snprintf(msg, DEFAULT_BUFFER_SIZE, _("Invalid HTTP response received from host on port %d: %s\n"), server_port, status_line.first_line); die (STATE_CRITICAL, "HTTP CRITICAL - %s", msg); } /* TODO: implement -d header tests */ if( server_expect_yn ) { snprintf(msg, DEFAULT_BUFFER_SIZE, _("Status line output matched \"%s\" - "), server_expect); if (verbose) printf ("%s\n",msg); result = STATE_OK; } else { /* illegal return codes result in a critical state */ if (code >= 600 || code < 100) { die (STATE_CRITICAL, _("HTTP CRITICAL: Invalid Status (%d, %.40s)\n"), status_line.http_code, status_line.msg); /* server errors result in a critical state */ } else if (code >= 500) { result = STATE_CRITICAL; /* client errors result in a warning state */ } else if (code >= 400) { result = STATE_WARNING; /* check redirected page if specified */ } else if (code >= 300) { if (onredirect == STATE_DEPENDENT) { code = status_line.http_code; } result = max_state_alt (onredirect, result); /* TODO: make sure the last status line has been parsed into the status_line structure */ /* all other codes are considered ok */ } else { result = STATE_OK; } } /* check status codes, set exit status accordingly */ if( status_line.http_code != code ) { die (STATE_CRITICAL, _("HTTP CRITICAL HTTP/%d.%d %d %s - different HTTP codes (cUrl has %ld)\n"), status_line.http_major, status_line.http_minor, status_line.http_code, status_line.msg, code); } /* Page and Header content checks go here */ if (strlen (string_expect)) { if (!strstr (body_buf.buf, string_expect)) { strncpy(&output_string_search[0],string_expect,sizeof(output_string_search)); if(output_string_search[sizeof(output_string_search)-1]!='\0') { bcopy("...",&output_string_search[sizeof(output_string_search)-4],4); } snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sstring '%s' not found on '%s://%s:%d%s', "), msg, output_string_search, use_ssl ? "https" : "http", host_name ? host_name : server_address, server_port, server_url); result = STATE_CRITICAL; } } if (strlen (regexp)) { errcode = regexec (&preg, body_buf.buf, REGS, pmatch, 0); if ((errcode == 0 && invert_regex == 0) || (errcode == REG_NOMATCH && invert_regex == 1)) { /* OK - No-op to avoid changing the logic around it */ result = max_state_alt(STATE_OK, result); } else if ((errcode == REG_NOMATCH && invert_regex == 0) || (errcode == 0 && invert_regex == 1)) { if (invert_regex == 0) snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern not found, "), msg); else snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spattern found, "), msg); result = STATE_CRITICAL; } else { /* FIXME: Shouldn't that be UNKNOWN? */ regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER); snprintf (msg, DEFAULT_BUFFER_SIZE, _("%sExecute Error: %s, "), msg, errbuf); result = STATE_CRITICAL; } } /* make sure the page is of an appropriate size * TODO: as far I can tell check_http gets the full size of header and * if -N is not given header+body. Does this make sense? */ page_len = header_buf.buflen + body_buf.buflen; if ((max_page_len > 0) && (page_len > max_page_len)) { snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too large, "), msg, page_len); result = max_state_alt(STATE_WARNING, result); } else if ((min_page_len > 0) && (page_len < min_page_len)) { snprintf (msg, DEFAULT_BUFFER_SIZE, _("%spage size %d too small, "), msg, page_len); result = max_state_alt(STATE_WARNING, result); } /* -w, -c: check warning and critical level */ result = max_state_alt(get_status(total_time, thlds), result); /* Cut-off trailing characters */ if(msg[strlen(msg)-2] == ',') msg[strlen(msg)-2] = '\0'; else msg[strlen(msg)-3] = '\0'; /* TODO: separate _() msg and status code: die (result, "HTTP %s: %s\n", state_text(result), msg); */ die (result, "HTTP %s: HTTP/%d.%d %d %s%s%s - %d bytes in %.3f second response time |%s\n", state_text(result), status_line.http_major, status_line.http_minor, status_line.http_code, status_line.msg, strlen(msg) > 0 ? " - " : "", msg, page_len, total_time, perfstring); /* proper cleanup after die? */ curlhelp_free_statusline(&status_line); curl_easy_cleanup (curl); curl_global_cleanup (); curlhelp_freebuffer(&body_buf); curlhelp_freebuffer(&header_buf); return result; } /* check whether a file exists */ void test_file (char *path) { if (access(path, R_OK) == 0) return; usage2 (_("file does not exist or is not readable"), path); } int process_arguments (int argc, char **argv) { char *p; int c = 1; char *temp; enum { INVERT_REGEX = CHAR_MAX + 1, SNI_OPTION, CA_CERT_OPTION }; int option = 0; static struct option longopts[] = { STD_LONG_OPTS, {"ssl", optional_argument, 0, 'S'}, {"sni", no_argument, 0, SNI_OPTION}, {"method", required_argument, 0, 'j'}, {"IP-address", required_argument, 0, 'I'}, {"url", required_argument, 0, 'u'}, {"port", required_argument, 0, 'p'}, {"authorization", required_argument, 0, 'a'}, {"string", required_argument, 0, 's'}, {"expect", required_argument, 0, 'e'}, {"regex", required_argument, 0, 'r'}, {"ereg", required_argument, 0, 'r'}, {"eregi", required_argument, 0, 'R'}, {"onredirect", required_argument, 0, 'f'}, {"certificate", required_argument, 0, 'C'}, {"client-cert", required_argument, 0, 'J'}, {"private-key", required_argument, 0, 'K'}, {"ca-cert", required_argument, 0, CA_CERT_OPTION}, {"useragent", required_argument, 0, 'A'}, {"header", required_argument, 0, 'k'}, {"no-body", no_argument, 0, 'N'}, {"pagesize", required_argument, 0, 'm'}, {"invert-regex", no_argument, NULL, INVERT_REGEX}, {"use-ipv4", no_argument, 0, '4'}, {"use-ipv6", no_argument, 0, '6'}, {"extended-perfdata", no_argument, 0, 'E'}, {0, 0, 0, 0} }; if (argc < 2) return ERROR; /* support check_http compatible arguments */ for (c = 1; c < argc; c++) { if (strcmp ("-to", argv[c]) == 0) strcpy (argv[c], "-t"); if (strcmp ("-hn", argv[c]) == 0) strcpy (argv[c], "-H"); if (strcmp ("-wt", argv[c]) == 0) strcpy (argv[c], "-w"); if (strcmp ("-ct", argv[c]) == 0) strcpy (argv[c], "-c"); if (strcmp ("-nohtml", argv[c]) == 0) strcpy (argv[c], "-n"); } while (1) { c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:j:I:a:p:e:s:R:r:u:f:C:J:K:S::m:NE", longopts, &option); if (c == -1 || c == EOF || c == 1) break; switch (c) { case 'h': print_help(); exit(STATE_UNKNOWN); break; case 'V': print_revision(progname, NP_VERSION); print_curl_version(); exit(STATE_UNKNOWN); break; case 'v': verbose++; break; case 't': /* timeout period */ if (!is_intnonneg (optarg)) usage2 (_("Timeout interval must be a positive integer"), optarg); else socket_timeout = (int)strtol (optarg, NULL, 10); break; case 'c': /* critical time threshold */ critical_thresholds = optarg; break; case 'w': /* warning time threshold */ warning_thresholds = optarg; break; case 'H': /* virtual host */ host_name = strdup (optarg); if (host_name[0] == '[') { if ((p = strstr (host_name, "]:")) != NULL) { /* [IPv6]:port */ virtual_port = atoi (p + 2); /* cut off the port */ host_name_length = strlen (host_name) - strlen (p) - 1; free (host_name); host_name = strndup (optarg, host_name_length); } } else if ((p = strchr (host_name, ':')) != NULL && strchr (++p, ':') == NULL) { /* IPv4:port or host:port */ virtual_port = atoi (p); /* cut off the port */ host_name_length = strlen (host_name) - strlen (p) - 1; free (host_name); host_name = strndup (optarg, host_name_length); } break; case 'I': /* internet address */ server_address = strdup (optarg); break; case 'u': /* URL path */ server_url = strdup (optarg); break; case 'p': /* Server port */ if (!is_intnonneg (optarg)) usage2 (_("Invalid port number, expecting a non-negative number"), optarg); else { if( strtol(optarg, NULL, 10) > MAX_PORT) usage2 (_("Invalid port number, supplied port number is too big"), optarg); server_port = (unsigned short)strtol(optarg, NULL, 10); } break; case 'a': /* authorization info */ strncpy (user_auth, optarg, MAX_INPUT_BUFFER - 1); user_auth[MAX_INPUT_BUFFER - 1] = 0; break; case 'j': /* Set HTTP method */ if (http_method) free(http_method); http_method = strdup (optarg); break; case 'A': /* useragent */ snprintf (user_agent, DEFAULT_BUFFER_SIZE, optarg); break; case 'k': /* Additional headers */ header_list = curl_slist_append(header_list, optarg); break; case 'C': /* Check SSL cert validity */ #ifdef LIBCURL_FEATURE_SSL if ((temp=strchr(optarg,','))!=NULL) { *temp='\0'; if (!is_intnonneg (optarg)) usage2 (_("Invalid certificate expiration period"), optarg); days_till_exp_warn = atoi(optarg); *temp=','; temp++; if (!is_intnonneg (temp)) usage2 (_("Invalid certificate expiration period"), temp); days_till_exp_crit = atoi (temp); } else { days_till_exp_crit=0; if (!is_intnonneg (optarg)) usage2 (_("Invalid certificate expiration period"), optarg); days_till_exp_warn = atoi (optarg); } check_cert = TRUE; goto enable_ssl; #endif case 'J': /* use client certificate */ #ifdef LIBCURL_FEATURE_SSL test_file(optarg); client_cert = optarg; goto enable_ssl; #endif case 'K': /* use client private key */ #ifdef LIBCURL_FEATURE_SSL test_file(optarg); client_privkey = optarg; goto enable_ssl; #endif #ifdef LIBCURL_FEATURE_SSL case CA_CERT_OPTION: /* use CA chain file */ test_file(optarg); ca_cert = optarg; goto enable_ssl; #endif case 'S': /* use SSL */ #ifdef LIBCURL_FEATURE_SSL enable_ssl: use_ssl = TRUE; /* ssl_version initialized to CURL_SSLVERSION_TLSv1_0 as a default. Only set if it's non-zero. This helps when we include multiple parameters, like -S and -C combinations */ ssl_version = CURL_SSLVERSION_TLSv1_0; if (c=='S' && optarg != NULL) { int got_plus = strchr(optarg, '+') != NULL; if (!strncmp (optarg, "1.2", 3)) ssl_version = CURL_SSLVERSION_TLSv1_2; else if (!strncmp (optarg, "1.1", 3)) ssl_version = CURL_SSLVERSION_TLSv1_1; else if (optarg[0] == '1') ssl_version = CURL_SSLVERSION_TLSv1_0; else if (optarg[0] == '3') ssl_version = CURL_SSLVERSION_SSLv3; else if (optarg[0] == '2') ssl_version = CURL_SSLVERSION_SSLv2; else usage4 (_("Invalid option - Valid SSL/TLS versions: 2, 3, 1, 1.1, 1.2 (with optional '+' suffix)")); } if (server_port == HTTP_PORT) server_port = HTTPS_PORT; #else /* -C -J and -K fall through to here without SSL */ usage4 (_("Invalid option - SSL is not available")); #endif break; case SNI_OPTION: /* --sni is parsed, but ignored, the default is TRUE with libcurl */ use_sni = TRUE; break; case 'f': /* onredirect */ if (!strcmp (optarg, "ok")) onredirect = STATE_OK; else if (!strcmp (optarg, "warning")) onredirect = STATE_WARNING; else if (!strcmp (optarg, "critical")) onredirect = STATE_CRITICAL; else if (!strcmp (optarg, "unknown")) onredirect = STATE_UNKNOWN; else if (!strcmp (optarg, "follow")) onredirect = STATE_DEPENDENT; else usage2 (_("Invalid onredirect option"), optarg); if (verbose >= 2) printf(_("* Following redirects set to %s\n"), state_text(onredirect)); break; case 's': /* string or substring */ strncpy (string_expect, optarg, MAX_INPUT_BUFFER - 1); string_expect[MAX_INPUT_BUFFER - 1] = 0; break; case 'e': /* string or substring */ strncpy (server_expect, optarg, MAX_INPUT_BUFFER - 1); server_expect[MAX_INPUT_BUFFER - 1] = 0; server_expect_yn = 1; break; case 'R': /* regex */ cflags |= REG_ICASE; case 'r': /* regex */ strncpy (regexp, optarg, MAX_RE_SIZE - 1); regexp[MAX_RE_SIZE - 1] = 0; errcode = regcomp (&preg, regexp, cflags); if (errcode != 0) { (void) regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER); printf (_("Could Not Compile Regular Expression: %s"), errbuf); return ERROR; } break; case INVERT_REGEX: invert_regex = 1; break; case '4': address_family = AF_INET; break; case '6': #ifdef USE_IPV6 address_family = AF_INET6; #else usage4 (_("IPv6 support not available")); #endif break; case 'm': /* min_page_length */ { char *tmp; if (strchr(optarg, ':') != (char *)NULL) { /* range, so get two values, min:max */ tmp = strtok(optarg, ":"); if (tmp == NULL) { printf("Bad format: try \"-m min:max\"\n"); exit (STATE_WARNING); } else min_page_len = atoi(tmp); tmp = strtok(NULL, ":"); if (tmp == NULL) { printf("Bad format: try \"-m min:max\"\n"); exit (STATE_WARNING); } else max_page_len = atoi(tmp); } else min_page_len = atoi (optarg); break; } case 'N': /* no-body */ no_body = TRUE; break; case 'E': /* show extended perfdata */ show_extended_perfdata = TRUE; break; case '?': /* print short usage statement if args not parsable */ usage5 (); break; } } c = optind; if (server_address == NULL && c < argc) server_address = strdup (argv[c++]); if (host_name == NULL && c < argc) host_name = strdup (argv[c++]); if (server_address == NULL) { if (host_name == NULL) usage4 (_("You must specify a server address or host name")); else server_address = strdup (host_name); } set_thresholds(&thlds, warning_thresholds, critical_thresholds); if (critical_thresholds && thlds->critical->end>(double)socket_timeout) socket_timeout = (int)thlds->critical->end + 1; if (verbose >= 2) printf ("* Socket timeout set to %d seconds\n", socket_timeout); if (http_method == NULL) http_method = strdup ("GET"); if (client_cert && !client_privkey) usage4 (_("If you use a client certificate you must also specify a private key file")); if (virtual_port == 0) virtual_port = server_port; return TRUE; } void print_help (void) { print_revision (progname, NP_VERSION); printf ("Copyright (c) 1999 Ethan Galstad \n"); printf ("Copyright (c) 2017 Andreas Baumann \n"); printf (COPYRIGHT, copyright, email); printf ("%s\n", _("This plugin tests the HTTP service on the specified host. It can test")); printf ("%s\n", _("normal (http) and secure (https) servers, follow redirects, search for")); printf ("%s\n", _("strings and regular expressions, check connection times, and report on")); printf ("%s\n", _("certificate expiration times.")); printf ("\n"); printf ("%s\n", _("It makes use of libcurl to do so. It tries to be as compatible to check_http")); printf ("%s\n", _("as possible.")); printf ("\n\n"); print_usage (); printf (_("NOTE: One or both of -H and -I must be specified")); printf ("\n"); printf (UT_HELP_VRSN); printf (UT_EXTRA_OPTS); printf (" %s\n", "-H, --hostname=ADDRESS"); printf (" %s\n", _("Host name argument for servers using host headers (virtual host)")); printf (" %s\n", _("Append a port to include it in the header (eg: example.com:5000)")); printf (" %s\n", "-I, --IP-address=ADDRESS"); printf (" %s\n", _("IP address or name (use numeric address if possible to bypass DNS lookup).")); printf (" %s\n", "-p, --port=INTEGER"); printf (" %s", _("Port number (default: ")); printf ("%d)\n", HTTP_PORT); printf (UT_IPv46); #ifdef LIBCURL_FEATURE_SSL printf (" %s\n", "-S, --ssl=VERSION[+]"); printf (" %s\n", _("Connect via SSL. Port defaults to 443. VERSION is optional, and prevents")); printf (" %s\n", _("auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,")); printf (" %s\n", _("1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.")); printf (" %s\n", _("Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl")); printf (" %s\n", "--sni"); printf (" %s\n", _("Enable SSL/TLS hostname extension support (SNI)")); #if LIBCURL_VERSION_NUM >= 0x071801 printf (" %s\n", _("Note: --sni is the default in libcurl as SSLv2 and SSLV3 are deprecated and")); printf (" %s\n", _(" SNI only really works since TLSv1.0")); #else printf (" %s\n", _("Note: SNI is not supported in libcurl before 7.18.1")); #endif printf (" %s\n", "-C, --certificate"); printf (" %s\n", _("Check validity of certificate")); printf (" %s\n", "-J, --client-cert=FILE"); printf (" %s\n", _("Name of file that contains the client certificate (PEM format)")); printf (" %s\n", _("to be used in establishing the SSL session")); printf (" %s\n", "-K, --private-key=FILE"); printf (" %s\n", _("Name of file containing the private key (PEM format)")); printf (" %s\n", _("matching the client certificate")); printf (" %s\n", "--ca-cert=FILE"); printf (" %s\n", _("CA certificate file to verify peer against")); #endif printf (" %s\n", "-e, --expect=STRING"); printf (" %s\n", _("Comma-delimited list of strings, at least one of them is expected in")); printf (" %s", _("the first (status) line of the server response (default: ")); printf ("%s)\n", HTTP_EXPECT); printf (" %s\n", _("If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)")); printf (" %s\n", "-s, --string=STRING"); printf (" %s\n", _("String to expect in the content")); printf (" %s\n", "-u, --url=PATH"); printf (" %s\n", _("URL to GET or POST (default: /)")); printf (" %s\n", "-j, --method=STRING (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)"); printf (" %s\n", _("Set HTTP method.")); printf (" %s\n", "-N, --no-body"); printf (" %s\n", _("Don't wait for document body: stop reading after headers.")); printf (" %s\n", _("(Note that this still does an HTTP GET or POST, not a HEAD.)")); printf (" %s\n", "-r, --regex, --ereg=STRING"); printf (" %s\n", _("Search page for regex STRING")); printf (" %s\n", "-R, --eregi=STRING"); printf (" %s\n", _("Search page for case-insensitive regex STRING")); printf (" %s\n", "--invert-regex"); printf (" %s\n", _("Return CRITICAL if found, OK if not\n")); printf (" %s\n", "-a, --authorization=AUTH_PAIR"); printf (" %s\n", _("Username:password on sites with basic authentication")); printf (" %s\n", "-A, --useragent=STRING"); printf (" %s\n", _("String to be sent in http header as \"User Agent\"")); printf (" %s\n", "-k, --header=STRING"); printf (" %s\n", _("Any other tags to be sent in http header. Use multiple times for additional headers")); printf (" %s\n", "-E, --extended-perfdata"); printf (" %s\n", _("Print additional performance data")); printf (" %s\n", "-f, --onredirect="); printf (" %s\n", _("How to handle redirected pages.")); printf (" %s\n", "-m, --pagesize=INTEGER<:INTEGER>"); printf (" %s\n", _("Minimum page size required (bytes) : Maximum page size required (bytes)")); printf (UT_WARN_CRIT); printf (UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT); printf (UT_VERBOSE); printf ("\n"); printf ("%s\n", _("Notes:")); printf (" %s\n", _("This plugin will attempt to open an HTTP connection with the host.")); printf (" %s\n", _("Successful connects return STATE_OK, refusals and timeouts return STATE_CRITICAL")); printf (" %s\n", _("other errors return STATE_UNKNOWN. Successful connects, but incorrect response")); printf (" %s\n", _("messages from the host result in STATE_WARNING return values. If you are")); printf (" %s\n", _("checking a virtual server that uses 'host headers' you must supply the FQDN")); printf (" %s\n", _("(fully qualified domain name) as the [host_name] argument.")); #ifdef LIBCURL_FEATURE_SSL printf ("\n"); printf (" %s\n", _("This plugin can also check whether an SSL enabled web server is able to")); printf (" %s\n", _("serve content (optionally within a specified time) or whether the X509 ")); printf (" %s\n", _("certificate is still valid for the specified number of days.")); printf ("\n"); printf (" %s\n", _("Please note that this plugin does not check if the presented server")); printf (" %s\n", _("certificate matches the hostname of the server, or if the certificate")); printf (" %s\n", _("has a valid chain of trust to one of the locally installed CAs.")); printf ("\n"); printf ("%s\n", _("Examples:")); printf (" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com"); printf (" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,")); printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds")); printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); printf (" %s\n", _("a STATE_CRITICAL will be returned.")); printf ("\n"); printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14"); printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); printf (" %s\n", _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); printf (" %s\n\n", _("the certificate is expired.")); printf ("\n"); printf (" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14"); printf (" %s\n", _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); printf (" %s\n", _("a STATE_OK is returned. When the certificate is still valid, but for less than")); printf (" %s\n", _("30 days, but more than 14 days, a STATE_WARNING is returned.")); printf (" %s\n", _("A STATE_CRITICAL will be returned when certificate expires in less than 14 days")); printf (" %s\n\n", "CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT: "); printf (" %s\n", _("check_curl -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com ")); printf (" %s\n", _("all these options are needed: -I -p -u -S(sl) -j CONNECT -H ")); printf (" %s\n", _("a STATE_OK will be returned. When the server returns its content but exceeds")); printf (" %s\n", _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); printf (" %s\n", _("a STATE_CRITICAL will be returned.")); #endif printf (UT_SUPPORT); } void print_usage (void) { printf ("%s\n", _("Usage:")); printf (" %s -H | -I [-u ] [-p ]\n",progname); printf (" [-J ] [-K ] [--ca-cert ]\n"); printf (" [-w ] [-c ] [-t ] [-E] [-a auth]\n"); printf (" [-f ]\n"); printf (" [-e ] [-s string] [-r | -R ]\n"); printf (" [-m :] [-N]\n"); printf (" [-4|-6] [-N]\n"); printf (" [-A string] [-k string] [-S ] [-C]\n"); printf (" [-v verbose]\n", progname); printf ("\n"); printf ("%s\n", _("WARNING: check_curl is experimental. Please use")); printf ("%s\n\n", _("check_http if you need a stable version.")); } void print_curl_version (void) { printf( "%s\n", curl_version()); } int curlhelp_initbuffer (curlhelp_curlbuf *buf) { buf->bufsize = DEFAULT_BUFFER_SIZE; buf->buflen = 0; buf->buf = (char *)malloc ((size_t)buf->bufsize); if (buf->buf == NULL) return -1; return 0; } int curlhelp_buffer_callback (void *buffer, size_t size, size_t nmemb, void *stream) { curlhelp_curlbuf *buf = (curlhelp_curlbuf *)stream; while (buf->bufsize < buf->buflen + size * nmemb + 1) { buf->bufsize *= buf->bufsize * 2; buf->buf = (char *)realloc (buf->buf, buf->bufsize); if (buf->buf == NULL) return -1; } memcpy (buf->buf + buf->buflen, buffer, size * nmemb); buf->buflen += size * nmemb; buf->buf[buf->buflen] = '\0'; return (int)(size * nmemb); } void curlhelp_freebuffer (curlhelp_curlbuf *buf) { free (buf->buf); buf->buf = NULL; } /* TODO: should be moved into 'gl' and should be probed, glibc has * a strrstr */ const char* strrstr2(const char *haystack, const char *needle) { int counter; size_t len; const char *prev_pos; const char *pos; if (haystack == NULL || needle == NULL) return NULL; if (haystack[0] == '\0' || needle[0] == '\0') return NULL; counter = 0; prev_pos = NULL; pos = haystack; len = strlen (needle); for (;;) { pos = strstr (pos, needle); if (pos == NULL) { if (counter == 0) return NULL; else return prev_pos; } counter++; prev_pos = pos; pos += len; if (*pos == '\0') return prev_pos; } } int curlhelp_parse_statusline (const char *buf, curlhelp_statusline *status_line) { char *first_line_end; char *p; size_t first_line_len; char *pp; const char *start; /* find last start of a new header */ start = strrstr2 (buf, "\r\nHTTP"); if (start != NULL) { start += 2; buf = start; } first_line_end = strstr(buf, "\r\n"); if (first_line_end == NULL) return -1; first_line_len = (size_t)(first_line_end - buf); status_line->first_line = (char *)malloc (first_line_len + 1); if (status_line->first_line == NULL) return -1; memcpy (status_line->first_line, buf, first_line_len); status_line->first_line[first_line_len] = '\0'; /* protocol and version: "HTTP/x.x" SP */ p = strtok(status_line->first_line, "/"); if( p == NULL ) { free( status_line->first_line ); return -1; } if( strcmp( p, "HTTP" ) != 0 ) { free( status_line->first_line ); return -1; } p = strtok( NULL, "." ); if( p == NULL ) { free( status_line->first_line ); return -1; } status_line->http_major = (int)strtol( p, &pp, 10 ); if( *pp != '\0' ) { free( status_line->first_line ); return -1; } p = strtok( NULL, " " ); if( p == NULL ) { free( status_line->first_line ); return -1; } status_line->http_minor = (int)strtol( p, &pp, 10 ); if( *pp != '\0' ) { free( status_line->first_line ); return -1; } /* status code: "404" or "404.1", then SP */ p = strtok( NULL, " ." ); if( p == NULL ) { free( status_line->first_line ); return -1; } if( strchr( p, '.' ) != NULL ) { char *ppp; ppp = strtok( p, "." ); status_line->http_code = (int)strtol( ppp, &pp, 10 ); if( *pp != '\0' ) { free( status_line->first_line ); return -1; } ppp = strtok( NULL, "" ); status_line->http_subcode = (int)strtol( ppp, &pp, 10 ); if( *pp != '\0' ) { free( status_line->first_line ); return -1; } } else { status_line->http_code = (int)strtol( p, &pp, 10 ); status_line->http_subcode = -1; if( *pp != '\0' ) { free( status_line->first_line ); return -1; } } /* Human readable message: "Not Found" CRLF */ p = strtok( NULL, "" ); if( p == NULL ) { free( status_line->first_line ); return -1; } status_line->msg = p; return 0; } void curlhelp_free_statusline (curlhelp_statusline *status_line) { free (status_line->first_line); } void remove_newlines (char *s) { char *p; for (p = s; *p != '\0'; p++) if (*p == '\r' || *p == '\n') *p = ' '; } char *perfd_time_ssl (double elapsed_time_ssl) { return fperfdata ("time_ssl", elapsed_time_ssl, "s", FALSE, 0, FALSE, 0, FALSE, 0, FALSE, 0); }