Monitor SaaS website which gets delivered by CDN

Hi forum
i’d like to monitor a SaaS’ providers website which is hostet on AWS.
Upon setting up the “Check HTTP service” i noticed that the URL is always delivered not by the provider but by Cloudflare.
So i get the following results:
-SSL Cert check only works when disabling SNI (because hostname FQDN does not match the delivered Cloudflare cert)
-URL check results in an " HTTP/1.1 400 Bad Request" if only port 443 is checked, but thats also an answer from Cloudflare. If “Use SSL” is enabled, Checkmk reports “CRITICAL - Cannot make SSL connection.” - whether SNI is enabled or not.
Is there a possibility to make the check behave like the browser?

BR
Thomas

With check_http it should be possible to get the same result as your browser.
What do you see on the command line if you test with check_http and the verbose option?

Hi Andreas
check_http as classical Nagios plugin?
I saw yesterday that the native check is executed by “check_mk_active-http”, and i think in former times it has been check_http. Is it still shipped in 1.6p17 anyways?

BR Thomas

This is only a wrapper to build the command line for “check_http”.
It is the same as before.

Hi Andreas
that are my current settings:

The service check command looks like this:
check_mk_active-http!’–ssl’ ‘-p’ ‘80’ ‘proxy-ip’ ‘SaaS-website:443’

I also tried changing the “HTTP Method” settings and redirect settings, with no luck.
Result is always:
grafik

BR
Thomas

Please check on the command line the following syntax.

check_http -I PROXYHOST -p PROXYPORT -H FQDN -u RELATIVE-URI -S -j CONNECT

If this is working you have only to find the correct settings for the WATO rule or configure this check with classic active / passive checks :slight_smile:

from the check_http man page

 CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT:

     check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com 
     all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>
     a STATE_OK will be returned. When the server returns its content but exceeds
     the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,
     a STATE_CRITICAL will be returned. By adding a colon to the method you can set the method used
     inside the proxied connection: -j CONNECT:POST
    ```

Hi Andreas
thank you for the hint: the method needed to be changed to CONNECT and voila it works
Many thanks :slight_smile:

BR Thomas