* add proxy argument and improve dns cache usage
add proxy argument that useing the -x and --proxy argument. add it to
the static curl config struct, command usage and help outputs of the
cli.
parse these argument together with the environment variables like
http_proxy before setting the CURLOPT_PROXY in the curl configuration
option. this is required, as there is no easy way to ascertain/get what
the CURLOPT_PROXY that libcurl will use. by the point it is set by
libcurl, we have no control over it anymore, and need it for the other
steps in the configuration.
if the CURLOPT_PROXY is set, skip the DNS cache population which would
set the CURLOPT_RESOLVE. this is currently not perfect however. if a
proxy is set with socks4 or socks5 scheme, the host should be resolving
the hostname.
* codespell, clang-format and hints fixes
* add curl version and ssl enabelement macro checks
might fix rocky linux 8 compilation issues.
* add proxy_resolves_hostname, determined by proxy scheme
leave the functions that print out an curl_easyoption, but dont use it. organize the code slightly, print out the final CURLOPT_PROXY and proxy_resolves_hostname flag on verbose mode, add comments
* remove unused handle_curl_easyoption and format_curl_easyoption functions
* fix typo in the proxy argument
* fix typo with proxy scheme socks5a->socks5h
* improve proxy environment parsing
add another argument: --no-proxy , which is used when setting
CURL_NOPROXY
additionally parse all_proxy, ALL_PROXY, no_proxy and NO_PROXY
environment variables in the correct order.
set the curlopt_proxy and curlopt_noproxy of libcurl, and additionally
save them in check_curl_working_state.
add function determine_hostname_resolver, uses the working state and
static config. it can tokenize the no_proxy variable and check for exact
matches, but cannot determine subnet matches for ip addresses yet.
* document proxy cli arguments
clarify and add more examples of proxy environment variables and their
behavior when multiple are specified, overriden etc.
add single wildcard '*' checking for no_proxy to
determine_hostname_resolver, special case per curlopt_noproxy
documentation
* check curlopt_noproxy before accessing it
* switch argument from --no-proxy to --noproxy like curl cli
* check if host name is a subdomain of an noproxy item
* use strdup where destination working_state.curlopt_proxy may be NULL
* add disclaimer about uppercase HTTP_PROXY
* add subdomain checks for each item in the no_proxy, if the target host is a subdomain proxy wont resolve it
add function ip_addr_inside_cidr, use it for checking possible cidr ranges given in the no_proxy
* wip tests that work on local perl http/https server
* wip tests that work on the live debian image
* fix subnet definition
* make apache2 listen on [::1] for ipv6 tests
* remove squid certificate
* rewrite ip_addr_inside_cidr, split ipv4 and ipv6 parsing path and copy them to a shared buffer later on for prefix check
* Adapt tests for the squid sever, disable checking return code for socks 4/5 proxies. Squid does not support it, and we do not install a capable proxy for these schemes.
* specify localhost acl and allow it through the proxy. used in check_curl tests
* typo in comment
* move function comments to header
* fix failing tests
* handle case where proxy is set as empty string
* removed duplicate tests, corrected wrong comments
* corrected some annotations
* move docker apache subdomain setup files to /tools/subdomain1
* add a newline before dying in handle_curl_option_return_code
* fix the -ssl better, now does not segfault on empty --ssl argument as well.
---------
Co-authored-by: Ahmet Oeztuerk <Ahmet.Oeztuerk@consol.de>
previously, the fragment was sent in the request from client, and the
server would parse and increment its value. the incremented value would
be set in the redirected URI.
this does not work as fragments are meaningless to servers and clients
like check_curl strip them in their GET request.
rewrite the fragment handling . if client sends a URI parameter with
'fragment' as its key, the server will set its value for its redirected
URI. it will come up both as a parameter and the fragment at the end.
use this new logic to rewrite the fragment redirection test. remove -p
$http_port argument on tests for this endpoint, which was making https
tests fail. correct the common test count from 75 to 95, as there are 20
total test assertions in the 8 times it uses the new endpoint. remove
unused code on that endpoint as well
use the parameters in the last redirected URI that that server returns
HTTP OK to. matches the incrementation count of redirection_count from 0
to 3, as they also get incremented three times alongside it. add
comments about what is happening in the test cases, no need to
understand the endpoint completely
plugins/tests/check_curl.t forks and runs a http(s) server that responds
to specific uri endpoints. Added another endpoint under
/redirect_with_increment with dynamic redirection points.
This endpoint will parse different parts of the uri that come after the
path: parameters, query and the fragment. If applicable, seperate
elements within each field are parsed into key/value pairs. value is
incremented in redirected URI.
Tests if check_url redirection logic retains different parts of the url
when parsing the uri and building the new redirected URL. Current tests
show that it ignores the fragment part.
This commit moves the state retention logic to check_snmp as it is only
used there and I do not want it to be used at all, so it doesn't get a
place in the lib.
Otherwise this adapts tests and fixes the rate computing in the
refactored version of check_snmp.
Also fixes some bugs detected with the tests
Having a webserver respond with a relative redirect as for ex. in `Location: /path/to.html`
check_curl would use the wrong standard http/https port instead
of crafting the absolute url using the given scheme/hostname and port.
Adding a new test case for this for check_http and check_curl. check_http did
it correct already, so no fix necessary there.
before:
%>./check_curl -H 127.0.0.1 -p 50493 -f follow -u /redirect_rel -s redirected -vvv
**** HEADER ****
HTTP/1.1 302 Found
...
Location: /redirect2
...
* Seen redirect location /redirect2
** scheme: (null)
** host: (null)
** port: (null)
** path: /redirect2
Redirection to http://127.0.0.1:80/redirect2
fixed:
%>./check_curl -H 127.0.0.1 -p 50493 -f follow -u /redirect_rel -s redirected -vvv
**** HEADER ****
HTTP/1.1 302 Found
...
Location: /redirect2
...
* Seen redirect location /redirect2
** scheme: (null)
** host: (null)
** port: (null)
** path: /redirect2
Redirection to http://127.0.0.1:50493/redirect2
Signed-off-by: Sven Nierlein <sven@nierlein.de>
$ make test
[...]
perl -I .. -I .. ../test.pl
No application (check_curl) found for test harness (check_curl.t)
No application (check_snmp) found for test harness (check_snmp.t)
./t/check_procs.t ...... ok
./tests/check_nt.t ..... ok
./tests/check_procs.t .. ok
All tests successful.
Files=4, Tests=73, 8 wallclock secs ( 0.05 usr 0.02 sys + 0.38 cusr
0.22 csys = 0.67 CPU)
Result: PASS
Signed-off-by: Christian Kujau <lists@nerdbynature.de>
sslutils used to load only the first certificate when it was given a
client certificate file.
Added tests for check_http to connect to a http server that expects a
client certificate (simple and with chain).
Signed-off-by: Tobias Wiese <tobias@tobiaswiese.com>
when using check_snmp with multiple oids it simply printed the unparsed content
from -w/-c into the thresholds for each oid. So each oid contained the hole -w
from all oids.
./check_snmp ... -o iso.3.6.1.2.1.25.1.3.0,iso.3.6.1.2.1.25.1.5.0 -w '1,2' -c '3,4'
before:
SNMP ... | HOST-RESOURCES-MIB::hrSystemInitialLoadDevice.0=393216;1,2;3,4 HOST-RESOURCES-MIB::hrSystemNumUsers.0=24;1,2;3,4
after:
SNMP ... | HOST-RESOURCES-MIB::hrSystemInitialLoadDevice.0=393216;1;3 HOST-RESOURCES-MIB::hrSystemNumUsers.0=24;2;4
This also applies to fixed thresholds since check_snmp translates negative infinities from: '~:-1' to '@-1:~'
one of the first ps commands in the configure.ac is `axwo 'stat comm vsz rss user uid pid ppid args'` which
works on most modern linux systems (checked debian 10/11 and centos 7/8). But this test misses the etime
argument. Therefore `check_procs --metric=ELAPSED` does not work.
To fix this, we simply do the same test including etime before that one.
Signed-off-by: Sven Nierlein <sven@nierlein.de>
check_http closes the connection after checking the certificate with -C. This leads to sigpipe
errors when the ssl daemon wants to send a response and the daemon quits which makes the
subsequent tests fail.
check_curl crashes when a (broken) http server returns invalid http header with
leading spaces or double colons. This PR adds a fix and a test case for this.
Signed-off-by: Sven Nierlein <sven@nierlein.de>
the certificate used to test expired http checks is to old to be used
with recent ssl libraries and results in:
> SSL routines:SSL_CTX_use_certificate:ee key too small
unfortunatly the error is only visible when setting $IO::Socket::SSL::DEBUG in
the check_http.t file.
The check_snmp rate tests depend on the exact amount of time spend between the
plugin runs and will fail on busy machines, ex. the ci servers. Using faketime
mitigates this issue and also removes all the sleeps.
Signed-off-by: Sven Nierlein <sven@nierlein.de>
