Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

monitoring sites with SSL terminated on the LB

https://support.nagios.com/forum/viewtopic.php?t=11353

Page 1 of 2

monitoring sites with SSL terminated on the LB

Posted: Tue Jul 30, 2013 3:07 pm
by decp
Hi,

I have a site that's currently SSL off-loaded to an F5 load balancer.

This simple HTTP only check from CLI works fine:
# check_http -s "string_to_check" -H http://www.foo.com -I 10.0.0.100 -u "/foo/content"

But this HTTPs gives "CRITICAL - Socket timeout after 10 seconds" error:
# check_http -s "string_to_check" -H http://www.foo.com -I 10.0.0.100 -u "/foo/content" -S -p 443

But if I terminate the SSL all the way to the web server, the above works.
Is there a special way to monitor SSL sites terminated on the load balancer?


Thanks for any info.

Re: monitoring sites with SSL terminated on the LB

Posted: Tue Jul 30, 2013 3:18 pm
by decp
btw, i'm using nagios xi.
but this works on nagios core 2.9

Re: monitoring sites with SSL terminated on the LB

Posted: Tue Jul 30, 2013 3:29 pm
by abrist
decp wrote:check_http -s "string_to_check" -H http://www.foo.com -I 10.0.0.100 -u "/foo/content" -S -p 443
Are you sure the web address is still http instead of https?

Code: Select all

check_http -s "string_to_check" -H https://www.foo.com -I 10.0.0.100 -u "/foo/content" -S -p 443

Re: monitoring sites with SSL terminated on the LB

Posted: Tue Jul 30, 2013 3:35 pm
by decp
i tried that:
check_http -s "string_to_check" -H https://www.foo.com -I 10.0.0.100 -u "/foo/content" -S -p 443

and
check_http -s "string_to_check" -H http://www.foo.com -I 10.0.0.100 -u "/foo/content" -S -p 443
check_http -s "string_to_check" www.foo.com -I 10.0.0.100 -u "/foo/content" -S -p 443

still getting that same error.

Re: monitoring sites with SSL terminated on the LB

Posted: Tue Jul 30, 2013 3:36 pm
by decp
abrist wrote: Are you sure the web address is still http instead of https?

Code: Select all

check_http -s "string_to_check" -H https://www.foo.com -I 10.0.0.100 -u "/foo/content" -S -p 443
the site responds to both http and https if that's what you're asking?

Re: monitoring sites with SSL terminated on the LB

Posted: Tue Jul 30, 2013 8:33 pm
by scottwilkerson
can you run it like this

Code: Select all

check_http -s "string_to_check" -H www.foo.com -u "/foo/content" -S -p 443

Re: monitoring sites with SSL terminated on the LB

Posted: Wed Jul 31, 2013 4:03 pm
by decp
scottwilkerson wrote:can you run it like this

Code: Select all

check_http -s "string_to_check" -H www.foo.com -u "/foo/content" -S -p 443

same error - CRITICAL - Socket timeout after 10 seconds
but it works fine on nagios core 2.9, weird.

Re: monitoring sites with SSL terminated on the LB

Posted: Wed Jul 31, 2013 4:23 pm
by abrist
Is this website protected by any type of auth (even basic)?

Re: monitoring sites with SSL terminated on the LB

Posted: Wed Jul 31, 2013 4:28 pm
by decp
abrist wrote:Is this website protected by any type of auth (even basic)?
No.
Is there a log somewhere that I can check? or some debug level I can turn on?

Re: monitoring sites with SSL terminated on the LB

Posted: Wed Jul 31, 2013 4:31 pm
by abrist
You can check the ssl_access_log and ssl_error_log.

Code: Select all

tail -25 /var/log/httpd/ssl_access_log
tail -25 /var/log/httpd/ssl_error_log
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited