check_http fails to present proxy credientials

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
agentdavidson
Posts: 9
Joined: Mon Mar 13, 2017 9:50 pm

check_http fails to present proxy credientials

Post by agentdavidson »

Hello -

I'm having an issue getting check_http to work via an authenticated proxy when using the -S -j CONNECT flags.

Does anymore know if this is a supported configuration?

Appended is (anonymised) output showing success when using proxy + authentication + http url but failure when using proxy + authentication + https url

SUCCESS...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -u http://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v GET http://www.google.co.nz/ HTTP/1.0
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Connection: close
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=

http://myproxy.mydomain.com:8080http://www.google.co.nz/ is 11412 characters
STATUS: HTTP/1.1 200 OK
[Head and Content follow but removed from this post]
HTTP OK: HTTP/1.1 200 OK - 11412 bytes in 0.245 second response time |time=0.245205s;1.000000;5.000000;0.000000;10.000000 size=11412B;;;0

FAILURE...
[root@myserver:/usr/local/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u / -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2 (monitoring-plugins 2.2)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz

Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274

[Proxy responds with it's "Not authenticated" HTML page but removed from this post]

CRITICAL - Cannot make SSL connection.
SSL initialized

It would seem that check_http fails to present proxy credentials when using the -S -j CONNECT flags

If I disable authentication on the proxy the -S -j CONNECT scenario works.
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: check_http fails to present proxy credientials

Post by mcapra »

Does using curl with and without --proxy-ntlm produce similar results? I ask because this line in the header may be relevant:

Code: Select all

Proxy-Authenticate: NTLM
I don't think check_http supports NTLM based proxy authentication at the moment. I'd have to verify that though because I might be wrong.
Former Nagios employee
https://www.mcapra.com/
agentdavidson
Posts: 9
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Post by agentdavidson »

curl with and without --proxy-ntlm returns content.

Here is (anonymised) output without --proxy-ntlm , but I do need to --insecure the curl to get around CA chain check.

[root@myserver:~] curl -v --insecure --proxy http://myproxy.mydomain.com:8080 --proxy-user myusername:mypassword https://www.google.co.nz/
* About to connect() to proxy myproxy.mydomain.com port 8080 (#0)
* Trying 172.30.0.217...
* Connected to myproxy.mydomain.com (172.30.0.217) port 8080 (#0)
* Establish HTTP proxy tunnel to www.google.co.nz:443
* Proxy auth using Basic with user 'myusername'
> CONNECT www.google.co.nz:443 HTTP/1.1
> Host: www.google.co.nz:443
> Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
[snip]

So out proxy seems to be ok with Basic auth.
avandemore
Posts: 1597
Joined: Tue Sep 27, 2016 4:57 pm

Re: check_http fails to present proxy credientials

Post by avandemore »

Does the check work without -S?
Previous Nagios employee
agentdavidson
Posts: 9
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Post by agentdavidson »

Yes it works without -S if I'm requesting http://www.google.co.nz/ and providing proxy creds. This output is included in my original post.

However I'm specifically trying to craft a check of an HTTPS site via our authenticated proxy.

I'm using https://www.google.co.nz/ as an example.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: check_http fails to present proxy credientials

Post by scottwilkerson »

Shouldn't your -H be just http://www.google.co.nz

Code: Select all

 ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
agentdavidson
Posts: 9
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Post by agentdavidson »

Hi -

Thanks for the responses/suggestions. Results with -H http://www.google.co.nz and -u https://www.google.co.nz are the same. Proxy say's 407

[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -S -j CONNECT -H http://www.google.co.nz -u https://www.google.co.nz/ -b myusername:mypassword -w 1 -c 5 -v
Entering CONNECT tunnel mode with proxy myproxy.mydomain.com:8080 to dst http://www.google.co.nz:443
CONNECT http://www.google.co.nz:443 HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Proxy-Connection: keep-alive
Host: http://www.google.co.nz


Receive response from proxy
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NTLM
Proxy-Authenticate: BASIC realm="Please enter Username and Enterprise Password"
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1274

<HTML>
[Proxy responds with it's "Not authenticated" HTML page but removed from this post]

CRITICAL - Cannot make SSL connection.
SSL initialized


I can work around the issue by disabling authentication for our Nagios server but ideally the authentication is checking the full proxy stack.

I guess if anyone else in the community has check_http working with this senario then I'll just accept there is something specific to our environment which is the trouble and implement a workaround.

Matt
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: check_http fails to present proxy credientials

Post by cdienger »

Hey Matt,

I've had success with the following format:

./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v

Noticed I removed -s and removed the protocol from -H and -u options.

That said, it looks like you may be testing two different plugins here; nagios-plugins 2.2.0, and monitoring-plugins 2.2. We can't support the plugins from https://www.monitoring-plugins.org/, but I've had success with our Nagios 2.2.0 plugin with the above command. Hope this helps.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
agentdavidson
Posts: 9
Joined: Mon Mar 13, 2017 9:50 pm

Re: check_http fails to present proxy credientials

Post by agentdavidson »

Hi -

I tried dropping the -S (output appended) but that seems to completely mangle the request and the proxy just balks with 400 Bad Request. I think at this point I'll concede defeat and disable the authentication on the proxy for these problematic HTTPS checks. Thanks for the responses and suggestions.

Matt

[root@myserver:/usr/local/nagios/libexec] ./check_http -I myproxy.mydomain.com -p 8080 -j CONNECT -H www.google.co.nz -u www.google.co.nz -b myusername:mypassword -w 1 -c 5 -v
CONNECT www.google.co.nz HTTP/1.1
User-Agent: check_http/v2.2.0 (nagios-plugins 2.2.0)
Connection: close
Host: www.google.co.nz:8080
Accept: */*
Proxy-Authorization: Basic bWRmYzM5OlBoYXRzazhAQEA=


http://myproxy.mydomain.com:8080www.google.co.nz is 1260 characters
STATUS: HTTP/1.1 400 Bad Request
**** HEADER ****
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 1083
**** CONTENT ****
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: check_http fails to present proxy credientials

Post by cdienger »

Fair enough. I did file a couple bugs related to http_check that I came across while looking into this; https://github.com/nagios-plugins/nagio ... issues/262 and https://github.com/nagios-plugins/nagio ... issues/263 so I'm hopeful that we'll be able to resolve the problem you're facing. I'll close this thread for now and PM you when a new version of check_http is available.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked