check_http fails to present proxy credientials

This forum is intended for the discussion of Nagios plugin development. Feature requests, patches, bug fixes, and all types of development-related discussions are welcome!

NOTE: The SourceForge.net nagiosplug-devel mailing list has been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

check_http fails to present proxy credientials

Postby agentdavidson » Mon Mar 13, 2017 10:10 pm

Hello -

I'm having an issue getting check_http to work via an authenticated proxy when using the -S -j CONNECT flags.

Does anymore know if this is a supported configuration?

Appended is (anonymised) output showing success when using proxy + authentication + http url but failure when using proxy + authentication + https url

SUCCESS...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -u http://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v GET http://www.google.co.nz/ HTTP/1.0
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Connection: close
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=

http://myproxy.mydomain.com:8080http:// ... gle.co.nz/ is 11412 characters
STATUS: HTTP/1.1 200 OK
[Head and Content follow but removed from this post]
HTTP OK: HTTP/1.1 200 OK - 11412 bytes in 0.245 second response time |time=0.245205s;1.000000;5.000000;0.000000;10.000000 size=11412B;;;0

FAILURE...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u / -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz

Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274

[Proxy responds with it's "Not authenticated" HTML page but removed from this post]

CRITICAL - Cannot make SSL connection.
SSL initialized

It would seem that check_http fails to present proxy credentials when using the -S -j CONNECT flags

If I disable authentication on the proxy the -S -j CONNECT scenario works.
agentdavidson
 
Posts: 5
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Postby mcapra » Tue Mar 14, 2017 11:38 am

Does using curl with and without --proxy-ntlm produce similar results? I ask because this line in the header may be relevant:

Code: Select all
Proxy-Authenticate: NTLM


I don't think check_http supports NTLM based proxy authentication at the moment. I'd have to verify that though because I might be wrong.
Former Nagios employee - https://github.com/mcapra/
User avatar
mcapra
 
Posts: 2561
Joined: Thu May 05, 2016 3:54 pm

Re: check_http fails to present proxy credientials

Postby agentdavidson » Mon Mar 20, 2017 10:28 pm

curl with and without --proxy-ntlm returns content.

Here is (anonymised) output without --proxy-ntlm , but I do need to --insecure the curl to get around CA chain check.

[root@myserver:~] curl -v --insecure --proxy http://myproxy.mydomain.com:8080 --proxy-user myusername:mypassword https://www.google.co.nz/
* About to connect() to proxy myproxy.mydomain.com port 8080 (#0)
* Trying 172.30.0.217...
* Connected to myproxy.mydomain.com (172.30.0.217) port 8080 (#0)
* Establish HTTP proxy tunnel to www.google.co.nz:443
* Proxy auth using Basic with user 'myusername'
> CONNECT www.google.co.nz:443 HTTP/1.1
> Host: www.google.co.nz:443
> Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
[snip]

So out proxy seems to be ok with Basic auth.
agentdavidson
 
Posts: 5
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Postby avandemore » Tue Mar 21, 2017 1:06 pm

Does the check work without -S?
Previous Nagios employee
avandemore
 
Posts: 1597
Joined: Tue Sep 27, 2016 4:57 pm

Re: check_http fails to present proxy credientials

Postby agentdavidson » Sun Mar 26, 2017 8:29 pm

Yes it works without -S if I'm requesting http://www.google.co.nz/ and providing proxy creds. This output is included in my original post.

However I'm specifically trying to craft a check of an HTTPS site via our authenticated proxy.

I'm using https://www.google.co.nz/ as an example.
agentdavidson
 
Posts: 5
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Postby scottwilkerson » Mon Mar 27, 2017 11:44 am

Shouldn't your -H be just http://www.google.co.nz
Code: Select all
./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
User avatar
scottwilkerson
CTO
 
Posts: 6999
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: check_http fails to present proxy credientials

Postby agentdavidson » Wed Mar 29, 2017 10:25 pm

Hi -

Thanks for the responses/suggestions. Results with -H http://www.google.co.nz and -u https://www.google.co.nz are the same. Proxy say's 407

[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz


Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Enterprise Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274

<HTML>
[Proxy responds with it's "Not authenticated" HTML page but removed from this post]

CRITICAL - Cannot make SSL connection.
SSL initialized


I can work around the issue by disabling authentication for our Nagios server but ideally the authentication is checking the full proxy stack.

I guess if anyone else in the community has check_http working with this senario then I'll just accept there is something specific to our environment which is the trouble and implement a workaround.

Matt
agentdavidson
 
Posts: 5
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Postby cdienger » Thu Mar 30, 2017 9:59 am

Hey Matt,

I've had success with the following format:

./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v

Noticed I removed -s and removed the protocol from -H and -u options.

That said, it looks like you may be testing two different plugins here; nagios-plugins 2.2.0, and monitoring-plugins 2.2. We can't support the plugins from https://www.monitoring-plugins.org/, but I've had success with our Nagios 2.2.0 plugin with the above command. Hope this helps.
User avatar
cdienger
 
Posts: 491
Joined: Tue Feb 07, 2017 11:26 am

Re: check_http fails to present proxy credientials

Postby agentdavidson » Sun Apr 02, 2017 9:06 pm

Hi -

I tried dropping the -S (output appended) but that seems to completely mangle the request and the proxy just balks with 400 Bad Request. I think at this point I'll concede defeat and disable the authentication on the proxy for these problematic HTTPS checks. Thanks for the responses and suggestions.

Matt

[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v
CONNECT www.google.co.nz HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Connection: close
Host: www.google.co.nz:8080
Accept: */*
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=


http://myproxy.mydomain.com:8080www.google.co.nz is 1260 characters
STATUS: HTTP/1.1 400 Bad Request
**** HEADER ****
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1083
**** CONTENT ****
agentdavidson
 
Posts: 5
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Postby cdienger » Mon Apr 03, 2017 9:21 am

Fair enough. I did file a couple bugs related to http_check that I came across while looking into this; https://github.com/nagios-plugins/nagio ... issues/262 and https://github.com/nagios-plugins/nagio ... issues/263 so I'm hopeful that we'll be able to resolve the problem you're facing. I'll close this thread for now and PM you when a new version of check_http is available.
User avatar
cdienger
 
Posts: 491
Joined: Tue Feb 07, 2017 11:26 am


Return to Nagios Plugin Development

Who is online

Users browsing this forum: No registered users and 1 guest