check_http fails to present proxy credientials
-
- Posts: 9
- Joined: Mon Mar 13, 2017 9:50 pm
check_http fails to present proxy credientials
Hello -
I'm having an issue getting check_http to work via an authenticated proxy when using the -S -j CONNECT flags.
Does anymore know if this is a supported configuration?
Appended is (anonymised) output showing success when using proxy + authentication + http url but failure when using proxy + authentication + https url
SUCCESS...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -u http://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v GET http://www.google.co.nz/ HTTP/1.0
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Connection: close
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
http://myproxy.mydomain.com:8080http://www.google.co.nz/ is 11412 characters
STATUS: HTTP/1.1 200 OK
[Head and Content follow but removed from this post]
HTTP OK: HTTP/1.1 200 OK - 11412 bytes in 0.245 second response time |time=0.245205s;1.000000;5.000000;0.000000;10.000000 size=11412B;;;0
FAILURE...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u / -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz
Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274
[Proxy responds with it's "Not authenticated" HTML page but removed from this post]
CRITICAL - Cannot make SSL connection.
SSL initialized
It would seem that check_http fails to present proxy credentials when using the -S -j CONNECT flags
If I disable authentication on the proxy the -S -j CONNECT scenario works.
I'm having an issue getting check_http to work via an authenticated proxy when using the -S -j CONNECT flags.
Does anymore know if this is a supported configuration?
Appended is (anonymised) output showing success when using proxy + authentication + http url but failure when using proxy + authentication + https url
SUCCESS...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -u http://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v GET http://www.google.co.nz/ HTTP/1.0
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Connection: close
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
http://myproxy.mydomain.com:8080http://www.google.co.nz/ is 11412 characters
STATUS: HTTP/1.1 200 OK
[Head and Content follow but removed from this post]
HTTP OK: HTTP/1.1 200 OK - 11412 bytes in 0.245 second response time |time=0.245205s;1.000000;5.000000;0.000000;10.000000 size=11412B;;;0
FAILURE...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u / -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz
Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274
[Proxy responds with it's "Not authenticated" HTML page but removed from this post]
CRITICAL - Cannot make SSL connection.
SSL initialized
It would seem that check_http fails to present proxy credentials when using the -S -j CONNECT flags
If I disable authentication on the proxy the -S -j CONNECT scenario works.
Re: check_http fails to present proxy credientials
Does using curl with and without --proxy-ntlm produce similar results? I ask because this line in the header may be relevant:
I don't think check_http supports NTLM based proxy authentication at the moment. I'd have to verify that though because I might be wrong.
Code: Select all
Proxy-Authenticate: NTLM
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
-
- Posts: 9
- Joined: Mon Mar 13, 2017 9:50 pm
Re: check_http fails to present proxy credientials
curl with and without --proxy-ntlm returns content.
Here is (anonymised) output without --proxy-ntlm , but I do need to --insecure the curl to get around CA chain check.
[root@myserver:~] curl -v --insecure --proxy http://myproxy.mydomain.com:8080 --proxy-user myusername:mypassword https://www.google.co.nz/
* About to connect() to proxy myproxy.mydomain.com port 8080 (#0)
* Trying 172.30.0.217...
* Connected to myproxy.mydomain.com (172.30.0.217) port 8080 (#0)
* Establish HTTP proxy tunnel to www.google.co.nz:443
* Proxy auth using Basic with user 'myusername'
> CONNECT www.google.co.nz:443 HTTP/1.1
> Host: www.google.co.nz:443
> Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
[snip]
So out proxy seems to be ok with Basic auth.
Here is (anonymised) output without --proxy-ntlm , but I do need to --insecure the curl to get around CA chain check.
[root@myserver:~] curl -v --insecure --proxy http://myproxy.mydomain.com:8080 --proxy-user myusername:mypassword https://www.google.co.nz/
* About to connect() to proxy myproxy.mydomain.com port 8080 (#0)
* Trying 172.30.0.217...
* Connected to myproxy.mydomain.com (172.30.0.217) port 8080 (#0)
* Establish HTTP proxy tunnel to www.google.co.nz:443
* Proxy auth using Basic with user 'myusername'
> CONNECT www.google.co.nz:443 HTTP/1.1
> Host: www.google.co.nz:443
> Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
[snip]
So out proxy seems to be ok with Basic auth.
-
- Posts: 1597
- Joined: Tue Sep 27, 2016 4:57 pm
Re: check_http fails to present proxy credientials
Does the check work without -S?
Previous Nagios employee
-
- Posts: 9
- Joined: Mon Mar 13, 2017 9:50 pm
Re: check_http fails to present proxy credientials
Yes it works without -S if I'm requesting http://www.google.co.nz/ and providing proxy creds. This output is included in my original post.
However I'm specifically trying to craft a check of an HTTPS site via our authenticated proxy.
I'm using https://www.google.co.nz/ as an example.
However I'm specifically trying to craft a check of an HTTPS site via our authenticated proxy.
I'm using https://www.google.co.nz/ as an example.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: check_http fails to present proxy credientials
Shouldn't your -H be just http://www.google.co.nz
Code: Select all
./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
-
- Posts: 9
- Joined: Mon Mar 13, 2017 9:50 pm
Re: check_http fails to present proxy credientials
Hi -
Thanks for the responses/suggestions. Results with -H http://www.google.co.nz and -u https://www.google.co.nz are the same. Proxy say's 407
[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz
Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Enterprise Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274
<HTML>
[Proxy responds with it's "Not authenticated" HTML page but removed from this post]
CRITICAL - Cannot make SSL connection.
SSL initialized
I can work around the issue by disabling authentication for our Nagios server but ideally the authentication is checking the full proxy stack.
I guess if anyone else in the community has check_http working with this senario then I'll just accept there is something specific to our environment which is the trouble and implement a workaround.
Matt
Thanks for the responses/suggestions. Results with -H http://www.google.co.nz and -u https://www.google.co.nz are the same. Proxy say's 407
[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz
Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Enterprise Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274
<HTML>
[Proxy responds with it's "Not authenticated" HTML page but removed from this post]
CRITICAL - Cannot make SSL connection.
SSL initialized
I can work around the issue by disabling authentication for our Nagios server but ideally the authentication is checking the full proxy stack.
I guess if anyone else in the community has check_http working with this senario then I'll just accept there is something specific to our environment which is the trouble and implement a workaround.
Matt
Re: check_http fails to present proxy credientials
Hey Matt,
I've had success with the following format:
./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v
Noticed I removed -s and removed the protocol from -H and -u options.
That said, it looks like you may be testing two different plugins here; nagios-plugins 2.2.0, and monitoring-plugins 2.2. We can't support the plugins from https://www.monitoring-plugins.org/, but I've had success with our Nagios 2.2.0 plugin with the above command. Hope this helps.
I've had success with the following format:
./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v
Noticed I removed -s and removed the protocol from -H and -u options.
That said, it looks like you may be testing two different plugins here; nagios-plugins 2.2.0, and monitoring-plugins 2.2. We can't support the plugins from https://www.monitoring-plugins.org/, but I've had success with our Nagios 2.2.0 plugin with the above command. Hope this helps.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 9
- Joined: Mon Mar 13, 2017 9:50 pm
Re: check_http fails to present proxy credientials
Hi -
I tried dropping the -S (output appended) but that seems to completely mangle the request and the proxy just balks with 400 Bad Request. I think at this point I'll concede defeat and disable the authentication on the proxy for these problematic HTTPS checks. Thanks for the responses and suggestions.
Matt
[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v
CONNECT www.google.co.nz HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Connection: close
Host: www.google.co.nz:8080
Accept: */*
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
http://myproxy.mydomain.com:8080www.google.co.nz is 1260 characters
STATUS: HTTP/1.1 400 Bad Request
**** HEADER ****
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1083
**** CONTENT ****
I tried dropping the -S (output appended) but that seems to completely mangle the request and the proxy just balks with 400 Bad Request. I think at this point I'll concede defeat and disable the authentication on the proxy for these problematic HTTPS checks. Thanks for the responses and suggestions.
Matt
[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v
CONNECT www.google.co.nz HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Connection: close
Host: www.google.co.nz:8080
Accept: */*
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
http://myproxy.mydomain.com:8080www.google.co.nz is 1260 characters
STATUS: HTTP/1.1 400 Bad Request
**** HEADER ****
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1083
**** CONTENT ****
Re: check_http fails to present proxy credientials
Fair enough. I did file a couple bugs related to http_check that I came across while looking into this; https://github.com/nagios-plugins/nagio ... issues/262 and https://github.com/nagios-plugins/nagio ... issues/263 so I'm hopeful that we'll be able to resolve the problem you're facing. I'll close this thread for now and PM you when a new version of check_http is available.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.