clarify and add more examples of proxy environment variables and their
behavior when multiple are specified, overriden etc.
add single wildcard '*' checking for no_proxy to
determine_hostname_resolver, special case per curlopt_noproxy
documentation
add another argument: --no-proxy , which is used when setting
CURL_NOPROXY
additionally parse all_proxy, ALL_PROXY, no_proxy and NO_PROXY
environment variables in the correct order.
set the curlopt_proxy and curlopt_noproxy of libcurl, and additionally
save them in check_curl_working_state.
add function determine_hostname_resolver, uses the working state and
static config. it can tokenize the no_proxy variable and check for exact
matches, but cannot determine subnet matches for ip addresses yet.
leave the functions that print out an curl_easyoption, but dont use it. organize the code slightly, print out the final CURLOPT_PROXY and proxy_resolves_hostname flag on verbose mode, add comments
add proxy argument that useing the -x and --proxy argument. add it to
the static curl config struct, command usage and help outputs of the
cli.
parse these argument together with the environment variables like
http_proxy before setting the CURLOPT_PROXY in the curl configuration
option. this is required, as there is no easy way to ascertain/get what
the CURLOPT_PROXY that libcurl will use. by the point it is set by
libcurl, we have no control over it anymore, and need it for the other
steps in the configuration.
if the CURLOPT_PROXY is set, skip the DNS cache population which would
set the CURLOPT_RESOLVE. this is currently not perfect however. if a
proxy is set with socks4 or socks5 scheme, the host should be resolving
the hostname.
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
* check_disk: compare inode thresholds against the correct value
* check_disk: Detect free inode number correctly in tests
---------
Co-authored-by: Lorenz Kästle <lorenz.kaestle@netways.de>
according to https://curl.se/libcurl/c/curl_easy_setopt.html, parameters
are either a long, a function pointer, an object pointer or a curl_off_t,
depending on what the option expects; curl 8.16 checks and warns about
these.
Include the -D flag for certificate verification in the "CHECK
CERTIFICATE" examples. Otherwise, only the certificate dates are
checked, but not if the certificate matches to the hostname or is signed
by a trusted CA.
Fixes#2146.
previously, the fragment was sent in the request from client, and the
server would parse and increment its value. the incremented value would
be set in the redirected URI.
this does not work as fragments are meaningless to servers and clients
like check_curl strip them in their GET request.
rewrite the fragment handling . if client sends a URI parameter with
'fragment' as its key, the server will set its value for its redirected
URI. it will come up both as a parameter and the fragment at the end.
use this new logic to rewrite the fragment redirection test. remove -p
$http_port argument on tests for this endpoint, which was making https
tests fail. correct the common test count from 75 to 95, as there are 20
total test assertions in the 8 times it uses the new endpoint. remove
unused code on that endpoint as well
If a SSL connection cannot be established, check_http bailed out with a
die function call with a NULL fmt string. This adds a more meaningful
message.
The motivation for this patch was to get everything from the OpenBSD
ports upstream. It seems like in the old days, this would have resulted
in a segfault.
b8a6b3cae5
However, even if "die" now checks for NULL, a human readable error is
nice to have.
On OpenBSD's "stdio.h", stdin, stdout, and stderr are not directly
FILE*, but #defines. Thus, naming the output struct fields stdout and
stderr resulted in compiler errors, after replacing the #define.
a762189c5e/include/stdio.h (L75-L77)
This library is glibc-only and not necessary at this point. The
getopt_long function is provided by "getopt.h", included via "common.h".
Similar to #2159.
use the parameters in the last redirected URI that that server returns
HTTP OK to. matches the incrementation count of redirection_count from 0
to 3, as they also get incremented three times alongside it. add
comments about what is happening in the test cases, no need to
understand the endpoint completely
plugins/tests/check_curl.t forks and runs a http(s) server that responds
to specific uri endpoints. Added another endpoint under
/redirect_with_increment with dynamic redirection points.
This endpoint will parse different parts of the uri that come after the
path: parameters, query and the fragment. If applicable, seperate
elements within each field are parsed into key/value pairs. value is
incremented in redirected URI.
Tests if check_url redirection logic retains different parts of the url
when parsing the uri and building the new redirected URL. Current tests
show that it ignores the fragment part.
Check the UriUriA object, and if query string exists append it to the
new_url. Only appends the query part, fragments are still not appended
Function redir parses the new location header value using the
uriParseUriA function already, which populates the query field. This
field was already being printed, but it was not being appended to the
new_url during its construction.
Redirection chain of check_curl --onredirect=follow now mimics the chain
of check_http --onredirect=follow. Tested on the url:
mail.google.com/chat
In the previous commit I unintentionally introduced an error
through symbol shadowing.
This should fix check_ntp_time when the target address
is a network address.
check_ntp was marked as deprecated for forever (SVN times).
In the spirit of cleaning up and removing the dead bodies, this
commit removes check_ntp and all its connections.
* check_dig: Add feature to require or forbid dig DNS flags -E, -X.
Introduced helper functions for flag parsing.
-E, --require-flags=LIST
Comma-separated dig flags that must be present (e.g. 'aa,qr')
-X, --forbid-flags=LIST
Comma-separated dig flags that must NOT be present
* check_curl: avoid freeing memory when we don't know where it came from
* check_curl: when using -f sticky conserve IPv6 addresses properly
When running the check on an ipv6 address with a sticky onredirect
policy like in this example:
check_curl -6 -H example.com -I ::1 -f sticky
It results in a getaddrinfo error:
HTTP CRITICAL - Unable to lookup IP address for '[::1]': getaddrinfo returned -3 - Temporary failure in name resolution
This happens because in check_http() if the content of server_addr is an
ipv6 address enclosing brackets are added and on redirection a
subsequent call to check_http() will pass this now bracketed value to
getaddrinfo resulting in the error.
To work around this, strip the brackets from the address prior to the
lookup_host() call.
* add Michael Jeanson to thanks
