Http_check proxy problems

AxisNL · February 15, 2022, 1:53pm

CMK version: 2.0.0p19 (CRE)
OS version: Ubuntu 20.04LTS

Hey guys it looks like Checkmk is messing up http requests when a proxy is configured… If I configure a simple http check with a proxy on port 8080, CheckMK will add that port to the host header, which is should not do.

curl works fine:

$curl -v http://www.google.com -x proxy.company.local:8080
*   Trying 10.250.65.43:8080...
* TCP_NODELAY set
* Connected to proxy.company.local (10.123.123.43) port 8080 (#0)
> GET http://www.google.com/ HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.68.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 15 Feb 2022 13:46:57 GMT

But if configure a check in the simplest form:

hostname: www.google.com
proxy server address: proxy.company.local
proxy tcp port: 8080

It fails. Doing a packet capture, I see checkmk is setting the host header to ‘www.google.com:8080’ which obviously isn’t going to work.

Transmission Control Protocol, Src Port: 41176, Dst Port: 8080, Seq: 1, Ack: 1, Len: 118
Hypertext Transfer Protocol
    GET / HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.1\r\n]
            [GET / HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.1
    User-Agent: check_http/v2.3 (monitoring-plugins 2.3)\r\n
    Connection: close\r\n
    Host: www.google.com:8080\r\n
    \r\n
    [Full request URI: http://www.google.com:8080/]
    [HTTP request 1/1]

I assume this is a bug that needs fixing…

Oh, and by the way, if I set the website’s port to port 80, then checkmk tries to send the host header www.google.com:80:8080 which is even worse

andreas-doehler · February 15, 2022, 9:46pm

Can you please show the complete configuration of your HTTP check and the check command how it is shown like here. You command will look different but only with the command we can see what is really missing.

AxisNL · February 16, 2022, 3:46pm

This is the command I have now:

Service check command check_mk_active-http!'-u' '/' '-t' 10 '-p' '8080' 'proxy.domain.local' 'www.google.com:80'

This is from the summary:

Service name: Proxy Check (google.com)
Host settings: 
  Hosts name / IP address: www.google.com
  TCP Port: 80
Use proxy: 
  Proxy server address: proxy.domain.local
  TCP Port: 8080
Mode of the Check: 
  Check the URL,
    URI to fetch (default is /): /
    Seconds before connection times out: 10 sec
Advanced: Disable SSL/TLS hostname extension support (SNI):

AxisNL · March 12, 2022, 4:47pm

@andreas-doehler , any news on this?

andreas-doehler · March 12, 2022, 8:19pm

The options should look like this.

-I proxy.domain.local -p 8080 -u 'http://www.google.com'

The “-I” is not needed if the proxy host is the last argument. The generated config line has the proxy name at the end without the “-I” and it is working.
This is how it looks inside the setup.

Result: '-u' 'http://www.google.com' '-4' '--sni' '-p' '8080' 'proxy.domain.local'
I would say that the “Use proxy” option is not only a little bit broken, it is useless

AxisNL · March 27, 2022, 7:34pm

Yeah thanks, this works! At least for http it does. For https it doesn’t, even though i use the CONNECT method. But hey, even plain http helps me to test my proxy cluster’s connectivity.

cg1603 · February 17, 2023, 8:41am

Hello, this workaround doesn’t work for me because I also have a Proxy registration.
After a long search, this solution was found:

[Integrate Nagios plugins]
check_http -I proxy.local -p 8080 -u http://www.intranet.net/ -b user:password -w 1 -c 5 -v GET http://www.intranet.net/ HTTP/1.1

check_http fails to present proxy credientials - View topic • Nagios Support Forum

It is a pity that CheckMK does not work as expected with the standard check.

T.Schmitz · April 17, 2023, 8:56am

Hi all,

I’ve testet the Proxy with the Website Monitoring in the checkmk 2.2 Beta, and it is working as expected.

It seems that this werk has fixed the issue: check_http: Consolidate host and proxy settings

flameshretoos · December 16, 2023, 11:15pm

It looks like there might be an issue with how Checkmk is handling HTTP requests when a proxy is configured, specifically with the Host header. The problem you described suggests that Checkmk is incorrectly appending the proxy port to the Host header. While I can provide general advice on troubleshooting and potential workarounds, keep in mind that specific issues with software like Checkmk may require assistance from the Checkmk community or support channels.

andreas-doehler · December 17, 2023, 7:19am

The check itself is not done by CMK. All the check_http is an external check binary from here.
→ https://www.monitoring-plugins.org/
One of the problems that can be CMK related is the building of the command line to check_http.

flameshretoos · December 18, 2023, 5:28pm

It looks like there might be an issue with how Checkmk is handling HTTP requests when a proxy is configured, specifically with the Host header. The problem you described suggests that Checkmk is incorrectly appending the proxy port to the Host header. Be aware of the security of your data when using and when you want to buy proxies. While I can provide general advice on troubleshooting and potential workarounds, keep in mind that specific issues with software like Checkmk may require assistance from the Checkmk community or support channels.

system · December 17, 2024, 5:29pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.