Monitor SaaS website which gets delivered by CDN

wittmannthom · October 12, 2020, 11:26am

Hi forum
i’d like to monitor a SaaS’ providers website which is hostet on AWS.
Upon setting up the “Check HTTP service” i noticed that the URL is always delivered not by the provider but by Cloudflare.
So i get the following results:
-SSL Cert check only works when disabling SNI (because hostname FQDN does not match the delivered Cloudflare cert)
-URL check results in an " HTTP/1.1 400 Bad Request" if only port 443 is checked, but thats also an answer from Cloudflare. If “Use SSL” is enabled, Checkmk reports “CRITICAL - Cannot make SSL connection.” - whether SNI is enabled or not.
Is there a possibility to make the check behave like the browser?

BR
Thomas

andreas-doehler · October 12, 2020, 3:04pm

With check_http it should be possible to get the same result as your browser.
What do you see on the command line if you test with check_http and the verbose option?

wittmannthom · October 13, 2020, 6:38am

Hi Andreas
check_http as classical Nagios plugin?
I saw yesterday that the native check is executed by “check_mk_active-http”, and i think in former times it has been check_http. Is it still shipped in 1.6p17 anyways?

BR Thomas

andreas-doehler · October 13, 2020, 7:30am

This is only a wrapper to build the command line for “check_http”.
It is the same as before.

wittmannthom · October 14, 2020, 10:44am

Hi Andreas
that are my current settings:

The service check command looks like this:
check_mk_active-http!’–ssl’ ‘-p’ ‘80’ ‘proxy-ip’ ‘SaaS-website:443’

I also tried changing the “HTTP Method” settings and redirect settings, with no luck.
Result is always:
grafik

BR
Thomas

andreas-doehler · October 14, 2020, 2:43pm

Please check on the command line the following syntax.

check_http -I PROXYHOST -p PROXYPORT -H FQDN -u RELATIVE-URI -S -j CONNECT

If this is working you have only to find the correct settings for the WATO rule or configure this check with classic active / passive checks

from the check_http man page

 CHECK SSL WEBSERVER CONTENT VIA PROXY USING HTTP 1.1 CONNECT:

     check_http -I 192.168.100.35 -p 80 -u https://www.verisign.com/ -S -j CONNECT -H www.verisign.com 
     all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> -S(sl) -j CONNECT -H <webserver>
     a STATE_OK will be returned. When the server returns its content but exceeds
     the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,
     a STATE_CRITICAL will be returned. By adding a colon to the method you can set the method used
     inside the proxied connection: -j CONNECT:POST
    ```

wittmannthom · October 15, 2020, 10:39am

Hi Andreas
thank you for the hint: the method needed to be changed to CONNECT and voila it works
Many thanks

BR Thomas

wittmannthom · October 27, 2020, 9:57am

Hi Andreas
something is still weird here.
I have set the HTTP method to CONNECT and it seemed to work, as also Service custom notes to “https://$HOSTNAME$” opens the correct webpage.
But… yesterday we had a “404 error page not found” over several hours, page could not load but the check itself did not recognize this.
Sorry iam totally new to this “SaaS over CDN thingy”, do i miss some understanding here?

best regards
Thomas

system · October 27, 2021, 9:57am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.