Check_httpv2 improperly handling CSP header

muelhaupt_it · May 24, 2024, 8:26am

With updating my CheckMK to 2.3 I found about the new httpv2 check. Some checks give an error invalid HTTP header parsed. I found out that it is due to the following CSP Response Header:

  add_header  Content-Security-Policy "default-src 'self';
                                       img-src 'self' https://*.tile.openstreetmap.de https://extensionscdn.joomla.org data: blob:;
                                       style-src 'self' 'unsafe-inline';
                                       script-src 'self' 'unsafe-inline' 'unsafe-eval';
                                       object-src 'self';
                                       font-src 'self' data:;
                                       connect-src 'self' https://appscdn.joomla.org;
                                       frame-ancestors 'self';
                                       base-uri 'self';
                                       form-action 'self';
                                       frame-src 'self' https://login.schulmanager-online.de ";

Commenting it out on the webserver solved the error, nevertheless I urge to find how I can fix the issue, so that those CSP headers are parsed correctly and don’t crash the check.

CMK version: CRE 2.3.0
OS version: Ubuntu Server 22.04

Error message:
error sending request for url (https://redacted/): invalid HTTP header parsed (?)

Output of “cmk --debug -vvn hostname”:
output not visibly related to the error

chauhan_sudhir · May 24, 2024, 8:47am

Did you defined those headers in the check_httpv2 config as well ?

Like:

./check_httpv2 … --header ‘Access-Control-Allow-Origin:*’ --header Server:gunicorn/19.9.0

From the man page which is available via --help on the command line:

  -k, --header <HEADERS>
          Additional header in the form NAME:VALUE. Use multiple times for additional headers

muelhaupt_it · May 24, 2024, 9:36am

Thank you for your reply. My original check is
check_mk_active-httpv2!--url https://redacted --method GET --auth-user demo --auth-pw-pwstore redacted/stored_passwords --status-code 200 --certificate-levels 40,20

Running this in the cmk shell with --auth-pw-plain the output of the following command

OMD[cmk]:~$ $HOME/lib/nagios/plugins/check_httpv2 --url https://redacted --method GET --auth-user redacted --auth-pw-plain redacted

is

error sending request for url (https://redacted/): invalid HTTP header parsed (?)
error sending request for url (https://redacted/): invalid HTTP header parsed (?)

Even with --header given

OMD[cmk]:~$ $HOME/lib/nagios/plugins/check_httpv2 --url https://redacted --method GET --auth-user redacted --auth-pw-plain redacted --header 'Access-Control-Allow-Origin:*'

the output is

error sending request for url (https://redacted/): invalid HTTP header parsed (?)
error sending request for url (https://redacted/): invalid HTTP header parsed (?)

chauhan_sudhir · May 24, 2024, 10:43am

What kind of hearders are accepted?

Access-Control-Allow-Origin was just an example that I use for my local endpoints.

You can do the following to find it out:

curl -sD - yoururl -o /dev/null

muelhaupt_it · May 27, 2024, 9:44pm

I come across with the following response:

HTTP/1.1 401 Unauthorized
Server: nginx/1.25.5
Date: Mon, 27 May 2024 21:39:14 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
WWW-Authenticate: Basic realm="QA"

Using curl with -u and --basic I get the expected response, but using it together with -sD I receive the html body of a 401, which I am not understanding atm - but seems to be a problem with the webserver config rather than the check plugin, amirite?
Thank you so far!

muelhaupt_it · June 6, 2024, 7:32am

Hi folks,
if you are stumbling across the same error, I found out what was causing it.
Having an nginx configuration like the above one, where each CSP directive is separated by semicolon, additional linebreaks and whitespaces, does not work well with the check_httpv2 plugin - and is furthermore discouraged as the proper syntax would be

Content-Security-Policy: <policy-directive>; <policy-directive>

but not

Content-Security-Policy: <policy-directive>;[\r\n]
[......whitespaces......]<policy-directive>

Therefore, fixing this erroneous nginx configuration brings the check plugin to work.

system · June 6, 2025, 7:33am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.