Nagios Support Forum

Hello -

I'm having an issue getting check_http to work via an authenticated proxy when using the -S -j CONNECT flags.

Does anymore know if this is a supported configuration?

Appended is (anonymised) output showing success when using proxy + authentication + http url but failure when using proxy + authentication + https url

SUCCESS...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -u http://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v GET http://www.google.co.nz/ HTTP/1.0
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Connection: close
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=

http://myproxy.mydomain.com:8080http://www.google.co.nz/ is 11412 characters
STATUS: HTTP/1.1 200 OK
[Head and Content follow but removed from this post]
HTTP OK: HTTP/1.1 200 OK - 11412 bytes in 0.245 second response time |time=0.245205s;1.000000;5.000000;0.000000;10.000000 size=11412B;;;0

FAILURE...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u / -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz

Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274

[Proxy responds with it's "Not authenticated" HTML page but removed from this post]

CRITICAL - Cannot make SSL connection.
SSL initialized

It would seem that check_http fails to present proxy credentials when using the -S -j CONNECT flags

If I disable authentication on the proxy the -S -j CONNECT scenario works.

Does using curl with and without --proxy-ntlm produce similar results? I ask because this line in the header may be relevant:
I don't think check_http supports NTLM based proxy authentication at the moment. I'd have to verify that though because I might be wrong.

curl with and without --proxy-ntlm returns content.

Here is (anonymised) output without --proxy-ntlm , but I do need to --insecure the curl to get around CA chain check.

[root@myserver:~] curl -v --insecure --proxy http://myproxy.mydomain.com:8080 --proxy-user myusername:mypassword https://www.google.co.nz/
* About to connect() to proxy myproxy.mydomain.com port 8080 (#0)
* Trying 172.30.0.217...
* Connected to myproxy.mydomain.com (172.30.0.217) port 8080 (#0)
* Establish HTTP proxy tunnel to www.google.co.nz:443
* Proxy auth using Basic with user 'myusername'
> CONNECT www.google.co.nz:443 HTTP/1.1
> Host: www.google.co.nz:443
> Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
[snip]

So out proxy seems to be ok with Basic auth.

Does the check work without -S?

Yes it works without -S if I'm requesting http://www.google.co.nz/ and providing proxy creds. This output is included in my original post.

However I'm specifically trying to craft a check of an HTTPS site via our authenticated proxy.

I'm using https://www.google.co.nz/ as an example.

Shouldn't your -H be just http://www.google.co.nz

Hi -

Thanks for the responses/suggestions. Results with -H http://www.google.co.nz and -u https://www.google.co.nz are the same. Proxy say's 407

[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz


Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Enterprise Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274

<HTML>
[Proxy responds with it's "Not authenticated" HTML page but removed from this post]

CRITICAL - Cannot make SSL connection.
SSL initialized


I can work around the issue by disabling authentication for our Nagios server but ideally the authentication is checking the full proxy stack.

I guess if anyone else in the community has check_http working with this senario then I'll just accept there is something specific to our environment which is the trouble and implement a workaround.

Matt

Hey Matt,

I've had success with the following format:

./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v

Noticed I removed -s and removed the protocol from -H and -u options.

That said, it looks like you may be testing two different plugins here; nagios-plugins 2.2.0, and monitoring-plugins 2.2. We can't support the plugins from https://www.monitoring-plugins.org/, but I've had success with our Nagios 2.2.0 plugin with the above command. Hope this helps.

Hi -

I tried dropping the -S (output appended) but that seems to completely mangle the request and the proxy just balks with 400 Bad Request. I think at this point I'll concede defeat and disable the authentication on the proxy for these problematic HTTPS checks. Thanks for the responses and suggestions.

Matt

[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v
CONNECT www.google.co.nz HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Connection: close
Host: www.google.co.nz:8080
Accept: */*
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=


http://myproxy.mydomain.com:8080www.google.co.nz is 1260 characters
STATUS: HTTP/1.1 400 Bad Request
**** HEADER ****
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1083
**** CONTENT ****

Fair enough. I did file a couple bugs related to http_check that I came across while looking into this; https://github.com/nagios-plugins/nagio ... issues/262 and https://github.com/nagios-plugins/nagio ... issues/263 so I'm hopeful that we'll be able to resolve the problem you're facing. I'll close this thread for now and PM you when a new version of check_http is available.