[RESOLVED] check_http - why authentication fails on some

[mello]

Good morning,

I'm trying to self learn Linux and have a home lab with couple CentOS servers, one running virtualbox.

After playing around felt the need of a tool to monitor my applications and servers and came across Nagios, so new to Linux and to Nagios (great combination).

Monitoring the servers with ping was easy, so decided to move to monitor the service. Started with monitoring some cameras I have - all accessible via http, so used the defined commands without any modification and worked for some, not all.

Checking from the shell I see:

[root@nagios plugins]# ./check_http -I 10.10.10.193
HTTP OK: HTTP/1.0 200 OK - 708 bytes in 0.013 second response time |time=0.012726s;;;0.000000 size=708B;;;0
[root@nagios plugins]# ./check_http -I 10.10.10.192
HTTP OK: HTTP/1.1 200 OK - 2490 bytes in 0.123 second response time |time=0.123171s;;;0.000000 size=2490B;;;0
[root@nagios plugins]# ./check_http -I 10.10.10.191
HTTP OK: HTTP/1.0 200 OK - 710 bytes in 0.014 second response time |time=0.014048s;;;0.000000 size=710B;;;0
[root@nagios plugins]# ./check_http -I 10.10.10.182
HTTP WARNING: HTTP/1.0 401 Authorization Required - 305 bytes in 0.063 second response time |time=0.063081s;;;0.000000 size=305B;;;0

so changed to below and worked:

[root@nagios plugins]# ./check_http -I 10.10.10.182 -a user:password
HTTP OK: HTTP/1.0 200 OK - 710 bytes in 0.014 second response time |time=0.014048s;;;0.000000 size=710B;;;0

I've not made any changes to the commands, so still:

# 'check_http' command definition
define command{
command_name check_http
command_line $USER1$/check_http -I $HOSTADDRESS$ $ARG1$
}

and the cfg for the cameras look like (and yes the http command is commented out so will start with ping):

----------------- BOF --------------
#
# Office Camera
#

define host{
use linux-server
host_name office
alias office
address 10.10.10.181
icon_image webcamera.png
statusmap_image search_server3.gd2
}

define service{
use generic-service
host_name office
service_description PING
check_command check_ping!200.0,20%!500.0,60%
#service_description HTTP
#check_command check_http
}


#
# Define an optional hostgroup for Cameras
#

define hostgroup{
hostgroup_name cameras ; The name of the hostgroup
alias ZM Cameras ; Long name of the group
members shopcamera,backporch,backyard,driveway,frontdoor,frontporch,kitchen,leavingroom,office ; Comma separated list of hosts t
}

---------------- EOF -------------

I'm not sure why I need to use the authentication for some of the cameras as all have the same requirements to access their GUI (username and password).

The only thing I can think of is deference from their firmware, causing Nagios to not authenticate without the credentials.

The ones that authenticate without are Foscan and Sercomm, the ones that wont are Lynksys - just for records for future readers.

Question: What do I need to change to add the authentication to the ones requiring it?

I've tried to change the command inside my cameras.cfg to: check_command check_http -a user:pass, but for sure I'm doing it wrong as Nagios wont start

Any directions?

Thanks!

[rkennedy]

Try changing it to be -

Code: Select all

I've tried to change the command inside my cameras.cfg to: check_command check_http -a user:pass, but for sure I'm doing it wrong as Nagios wont start

Code: Select all

check_http!-a user:pass

Since your check_http command definition has $ARG1$ after specifiying the $HOSTADDRESS$, Nagios is going to use ! to differentiate where $ARG1$ actually starts.

As for why it will only work with some cameras, they will all need to use basic auth. Please run the following command against your different models, and post the full output. curl 10.10.10.182 (replace the IP with the IP of your other cameras to run it against them as well). I'd like to look at the headers in the response to see what it mentions.

[mello]

Thank you for your quick reply and lesson today

Another clear case of RTFM on my part.

So to pass variables to the commands I had to "say" to it by adding the exclamation mark to delimit the start of the arguments to be used and that was it ...

Now using check_html!-a username:password allowed me to restart Nagios and it authenticated fine.

Below, as requested, the outputs for some of the cameras. The last one is a Linksys and all models I have seems to require authentication.

1 - Sercomm OC432

[root@nagios plugins]# curl 10.10.10.191
<HTML>
<HEAD>
<TITLE>Network Camera</TITLE>
<META NAME="Generator" CONTENT="EditPlus">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="">
<meta name="description" content="OC431">

<META http-equiv="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<meta HTTP-EQUIV="Expires" CONTENT="Mon, 06 Jan 1990 00:00:01 GMT">
</HEAD>

<BODY onLoad="window.location = 'main.cgi?next_file=index_in.htm';">

</BODY>
</HTML>

2 - Sercomm RC8221

[root@nagios plugins]# curl 10.10.10.189
<HTML>
<HEAD>
<TITLE>Network Camera</TITLE>
<META NAME="Generator" CONTENT="EditPlus">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="">
<meta name="description" content="RC8061">

<META http-equiv="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<meta HTTP-EQUIV="Expires" CONTENT="Mon, 06 Jan 1990 00:00:01 GMT">
</HEAD>

<BODY onLoad="window.location = 'main.cgi?next_file=index_in.htm';">

</BODY>
</HTML>

3 - Linksys DCS-930LB

[root@nagios plugins]# curl 10.10.10.182
<html><body><h2>Error: Authorization Required</h2>
<p>Authentication was requested</p></body></html>

[rkennedy]

When I pasted out the curl command, I forgot to add -vvv (so we can see some verbosity on the headers). Could you actually run the same command on both of them with -vvv at the end? curl 10.10.10.182 -vvv and curl 10.10.10.189 -vvv for example.

[mello]

Sure:

-------------- BOF ----------------

[root@nagios config]# curl 10.10.10.182 -vvv
* About to connect() to 10.10.10.182 port 80 (#0)
* Trying 10.10.10.182...
* Connected to 10.10.10.182 (10.10.10.182) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.10.10.182
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Authorization Required
< Server: alphapd
< Date: Sat Jan 31 13:22:18 2015
< Pragma: no-cache
< Cache-Control: no-cache
< Content-type: text/html
< WWW-Authenticate: Basic realm="DCS-930LB1"
<
<html><body><h2>Error: Authorization Required</h2>
<p>Authentication was requested</p></body></html>

* Closing connection 0

--------------- EOF ------------

2nd IP

------------ BOF ---------------

[root@nagios config]# curl 10.10.10.189 -vvv
* About to connect() to 10.10.10.189 port 80 (#0)
* Trying 10.10.10.189...
* Connected to 10.10.10.189 (10.10.10.189) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.10.10.189
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "-1327665054"
< Last-Modified: Tue, 21 Apr 2015 08:14:37 GMT
< Content-Length: 482
< Date: Mon, 20 Jun 2016 12:58:50 GMT
< Server: ip-camera
<
<HTML>
<HEAD>
<TITLE>Network Camera</TITLE>
<META NAME="Generator" CONTENT="EditPlus">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="">
<meta name="description" content="RC8061">

<META http-equiv="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<meta HTTP-EQUIV="Expires" CONTENT="Mon, 06 Jan 1990 00:00:01 GMT">
</HEAD>

<BODY onLoad="window.location = 'main.cgi?next_file=index_in.htm';">

</BODY>
</HTML>


* Connection #0 to host 10.10.10.189 left intact

------------------ EOF -----------------------

[rkennedy]

Sure:

-------------- BOF ----------------

[root@nagios config]# curl 10.10.10.182 -vvv
* About to connect() to 10.10.10.182 port 80 (#0)
* Trying 10.10.10.182...
* Connected to 10.10.10.182 (10.10.10.182) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.10.10.182
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Authorization Required
< Server: alphapd
< Date: Sat Jan 31 13:22:18 2015
< Pragma: no-cache
< Cache-Control: no-cache
< Content-type: text/html
< WWW-Authenticate: Basic realm="DCS-930LB1"
<
<html><body><h2>Error: Authorization Required</h2>
<p>Authentication was requested</p></body></html>

* Closing connection 0

--------------- EOF ------------

2nd IP

------------ BOF ---------------

[root@nagios config]# curl 10.10.10.189 -vvv
* About to connect() to 10.10.10.189 port 80 (#0)
* Trying 10.10.10.189...
* Connected to 10.10.10.189 (10.10.10.189) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.10.10.189
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "-1327665054"
< Last-Modified: Tue, 21 Apr 2015 08:14:37 GMT
< Content-Length: 482
< Date: Mon, 20 Jun 2016 12:58:50 GMT
< Server: ip-camera
<
<HTML>
<HEAD>
<TITLE>Network Camera</TITLE>
<META NAME="Generator" CONTENT="EditPlus">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="">
<meta name="description" content="RC8061">

<META http-equiv="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<meta HTTP-EQUIV="Expires" CONTENT="Mon, 06 Jan 1990 00:00:01 GMT">
</HEAD>

<BODY onLoad="window.location = 'main.cgi?next_file=index_in.htm';">

</BODY>
</HTML>


* Connection #0 to host 10.10.10.189 left intact

------------------ EOF -----------------------

The part that matters in the first one, is < WWW-Authenticate: Basic realm="DCS-930LB1" which indicates it is indeed using basic auth. With this one, you will have no issue passing the -a parameter to login to the actual page.

The second one however, has no authentication directly on this page. It may not be using basic auth, which can get tricky and won't be able to login using the -a parameter. Can you run curl 10.10.10.189/main.cgi?next_file=index_in.htm -vvv and post back the output? That's the page it's redirecting to.

[mello]

I think what's happening here is just differences in philosophy. While some would allow access to the GUI and require authentication to access the actual configuration options (line some ddrt or Arys routers) others will require authentication to access the GUI (pfsense) - using routers as example as they are fresh in my mind

Those cameras seems to have a different way to allow access to the GUI, therefore the http test works without authentication for some and won't for the ones that requires authentication to access the GUI itself (might be wrong but that what I think is happening).

Any way, output for your curl as requested:

[root@nagios objects]# 10.10.10.189/main.cgi?next_file=index_in.htm -vvv
-bash: 10.10.10.189/main.cgi?next_file=index_in.htm: No such file or directory
[root@nagios objects]#

P.s. Your first direction fixed my issues, so at this point I think you are just trying to troubleshoot other issues, right? I'll be glad in assist by the way.

Regards!

[rkennedy]

I think what's happening here is just differences in philosophy. While some would allow access to the GUI and require authentication to access the actual configuration options (line some ddrt or Arys routers) others will require authentication to access the GUI (pfsense) - using routers as example as they are fresh in my mind

Those cameras seems to have a different way to allow access to the GUI, therefore the http test works without authentication for some and won't for the ones that requires authentication to access the GUI itself (might be wrong but that what I think is happening).

Any way, output for your curl as requested:

[root@nagios objects]# 10.10.10.189/main.cgi?next_file=index_in.htm -vvv
-bash: 10.10.10.189/main.cgi?next_file=index_in.htm: No such file or directory
[root@nagios objects]#

P.s. Your first direction fixed my issues, so at this point I think you are just trying to troubleshoot other issues, right? I'll be glad in assist by the way.

Regards!

Ah - I was continuing with the discussion thinking you were wondering why a certain one wasn't working. It sounds like you're spot on though.

One thing that might help, is if you do not want to login and make sure the credentials work, you could use -e 401 (which stands for expect, and tell it that we know an auth is required, but we aren't entering credentials).

Do you have any further questions or are we good to mark this one as resolved?

[mello]

I'm good and appreciated the extra thoughts and efforts

Don't see from the reply how to mark it as resolved, so will check after posting. If you don't see it changed, could you please change on your end?

Again thank you for all your help!

[rkennedy]

We close it out manually on our end, which I'll do!

If you run into any issues in the future, feel free to create a new thread.