check_http unable to use pass with "!"

[scottwilkerson]

Check out this post from the greatness himself @ssax:
https://support.nagios.com/forum/viewto ... 07#p229207

All the escaping considerations likely still apply.

Thanks @mcapra

[nagiosEngie]

Hello Everybody (your greatness included ),
tested the script proposed and it works. BUT, (unfortunatly there always is one):

I tried the script and authentication works I get:
OK: Authentication Successful (and thats good)

I then tried to insert a wrong user so to check if i get a CRITICAL message, but I sill get
OK: Authentication Successful (and that's not good) is the session somehow cashed or some other contraption.
How can this be solved?


I also tested the sting search (-s option) and it works with right and wrong pass.

Thanks
Sandro

[scottwilkerson]

I looked at the script and there is no caching. You can add the -v flag to get verbose output including the the curl command it is using, this would allow you ti run the command directly and see what the server is returning.

Are you 100% sure this server don't respond without authentication?

[nagiosEngie]

Hello Scott,

here is the output with the -v option enabled. I used a wrong pass and user and the exit code is still 0.
From what I understand there is a HTTP/1.1 401 Unauthorized message so the script is able to see that authentication fails but exit code is still 0.
Server without authentication will respond with a HTTP ERROR 401 page with chrome.
It will return an empty page with internet explorer.

File attached
Sandro

[nagiosEngie]

Hello,
line 131 of the script:
if [[ "$curloutput" == *'401 - Unauthorized'* ]]; then....etc.

in the debug message:
HTTP/1.1 401 Unauthorized

There is no dash "-"

If I correct this I will get the right result with the wrong password ie. CRITICAL Authentication failed.
BUT (there it is) if I use the correct password I will still get the same message.
So I had a look at the debug message I get when I use a correct password and I do not know why, but a HTTP/1.1 401 Unauthorized will appear in the debug message although the transaction is successfull.
So the problem is the string we grep "HTTP/1.1 401 Unauthorized" that appears in both cases.

I guess we have to choose some other string to grep for unsucccssesfull authentication.

There is also a wrong string in a second check "Couldn't resolve host" I get "Could not resolve host".

I this code works for me:

if [[ "$curloutput" == *'401 Unauthorized'* && "$curloutput" == *'NTLM handshake rejected'* ]]; then
authmsg='Authentication Failed!'
adjust_exit 2
elif [[ "$curloutput" == *"Could not resolve host"* ]]; then
authmsg='Unable to resolve host, please check DNS!'
adjust_exit 2
else
authmsg='Authentication Successful'
adjust_exit 0

I attached the corrected script that works inmy case.
Is it possible I get different messages based on different version of IIS?
SAndro

[scottwilkerson]

Is it possible I get different messages based on different version of IIS?

Maybe, but it might also be the application.

It is actually strange that you are getting the following with it actually works

Code: Select all

401 Unauthorized

That sounds like the applications is not outputting the correct code.

I'm glad you were able to work out a solution, and thanks for sharing for others!