net-snmp uses the same pre processor name "USE_OPENSSL" as we do.
To avoid the conflict, this commit renames it on our side to
"MOPL_USE_OPENSSL".
"MOPL" (better "MoPl"?) stands for Monitoring Plugins.
* check_curl: remove unused variables
* check_curl: run formatter on related files
* check_curl_helpers: make code a bit more understandable
* check_curl helpers: general api cleanup and code style
* add proxy argument and improve dns cache usage
add proxy argument that useing the -x and --proxy argument. add it to
the static curl config struct, command usage and help outputs of the
cli.
parse these argument together with the environment variables like
http_proxy before setting the CURLOPT_PROXY in the curl configuration
option. this is required, as there is no easy way to ascertain/get what
the CURLOPT_PROXY that libcurl will use. by the point it is set by
libcurl, we have no control over it anymore, and need it for the other
steps in the configuration.
if the CURLOPT_PROXY is set, skip the DNS cache population which would
set the CURLOPT_RESOLVE. this is currently not perfect however. if a
proxy is set with socks4 or socks5 scheme, the host should be resolving
the hostname.
* codespell, clang-format and hints fixes
* add curl version and ssl enabelement macro checks
might fix rocky linux 8 compilation issues.
* add proxy_resolves_hostname, determined by proxy scheme
leave the functions that print out an curl_easyoption, but dont use it. organize the code slightly, print out the final CURLOPT_PROXY and proxy_resolves_hostname flag on verbose mode, add comments
* remove unused handle_curl_easyoption and format_curl_easyoption functions
* fix typo in the proxy argument
* fix typo with proxy scheme socks5a->socks5h
* improve proxy environment parsing
add another argument: --no-proxy , which is used when setting
CURL_NOPROXY
additionally parse all_proxy, ALL_PROXY, no_proxy and NO_PROXY
environment variables in the correct order.
set the curlopt_proxy and curlopt_noproxy of libcurl, and additionally
save them in check_curl_working_state.
add function determine_hostname_resolver, uses the working state and
static config. it can tokenize the no_proxy variable and check for exact
matches, but cannot determine subnet matches for ip addresses yet.
* document proxy cli arguments
clarify and add more examples of proxy environment variables and their
behavior when multiple are specified, overriden etc.
add single wildcard '*' checking for no_proxy to
determine_hostname_resolver, special case per curlopt_noproxy
documentation
* check curlopt_noproxy before accessing it
* switch argument from --no-proxy to --noproxy like curl cli
* check if host name is a subdomain of an noproxy item
* use strdup where destination working_state.curlopt_proxy may be NULL
* add disclaimer about uppercase HTTP_PROXY
* add subdomain checks for each item in the no_proxy, if the target host is a subdomain proxy wont resolve it
add function ip_addr_inside_cidr, use it for checking possible cidr ranges given in the no_proxy
* wip tests that work on local perl http/https server
* wip tests that work on the live debian image
* fix subnet definition
* make apache2 listen on [::1] for ipv6 tests
* remove squid certificate
* rewrite ip_addr_inside_cidr, split ipv4 and ipv6 parsing path and copy them to a shared buffer later on for prefix check
* Adapt tests for the squid sever, disable checking return code for socks 4/5 proxies. Squid does not support it, and we do not install a capable proxy for these schemes.
* specify localhost acl and allow it through the proxy. used in check_curl tests
* typo in comment
* move function comments to header
* fix failing tests
* handle case where proxy is set as empty string
* removed duplicate tests, corrected wrong comments
* corrected some annotations
* move docker apache subdomain setup files to /tools/subdomain1
* add a newline before dying in handle_curl_option_return_code
* fix the -ssl better, now does not segfault on empty --ssl argument as well.
---------
Co-authored-by: Ahmet Oeztuerk <Ahmet.Oeztuerk@consol.de>
OpenBSD's pledge(2) system call allows the current process to
self-restrict itself, being reduced to promised pledges. For example,
unless a process says it wants to write to files, it is not allowed to
do so any longer.
This change starts by calling pledge(2) in some network-facing checks,
removing the more dangerous privileges, such as executing other files.
My initial motivation came from check_icmp, being installed as a setuid
binary and (temporarily) running with root privileges. There, the
pledge(2) calls result in check_icmp to only being allowed to interact
with the network and to setuid(2) to the calling user later on.
Afterwards, I went through my most commonly used monitoring plugins
directly interacting with the network. Thus, I continued with
pledge(2)-ing check_curl - having a huge codebase and all -,
check_ntp_time, check_smtp, check_ssh, and check_tcp.
For most of those, the changes were quite similar: start with
network-friendly promises, parse the configuration, give up file access,
and proceed with the actual check.
according to https://curl.se/libcurl/c/curl_easy_setopt.html, parameters
are either a long, a function pointer, an object pointer or a curl_off_t,
depending on what the option expects; curl 8.16 checks and warns about
these.
Include the -D flag for certificate verification in the "CHECK
CERTIFICATE" examples. Otherwise, only the certificate dates are
checked, but not if the certificate matches to the hostname or is signed
by a trusted CA.
Fixes#2146.
Check the UriUriA object, and if query string exists append it to the
new_url. Only appends the query part, fragments are still not appended
Function redir parses the new location header value using the
uriParseUriA function already, which populates the query field. This
field was already being printed, but it was not being appended to the
new_url during its construction.
Redirection chain of check_curl --onredirect=follow now mimics the chain
of check_http --onredirect=follow. Tested on the url:
mail.google.com/chat
* check_curl: avoid freeing memory when we don't know where it came from
* check_curl: when using -f sticky conserve IPv6 addresses properly
When running the check on an ipv6 address with a sticky onredirect
policy like in this example:
check_curl -6 -H example.com -I ::1 -f sticky
It results in a getaddrinfo error:
HTTP CRITICAL - Unable to lookup IP address for '[::1]': getaddrinfo returned -3 - Temporary failure in name resolution
This happens because in check_http() if the content of server_addr is an
ipv6 address enclosing brackets are added and on redirection a
subsequent call to check_http() will pass this now bracketed value to
getaddrinfo resulting in the error.
To work around this, strip the brackets from the address prior to the
lookup_host() call.
* add Michael Jeanson to thanks
This commit changes the behaviour of check_curl slightly.
Previously when the redirection method was set to the old 'check_http'
style redirection and there was no "location" header in the original
answer 'check_curl' segfaulted.
Now, at least it dies properly with a message.
This enables us to enable curl cookie engine by specifying an empty
filename as the cookie jar file.
This works, since curl's CURLOPT_COOKIEFILE option allows passing an
empty string as filename, which it interprets as a request to enable the
cookie processing. But since CURLOPT_COOKIEJAR would now attempt to
write to a file named by an empty filename, it would break again (or at
least produce a warning in verbose output).
Overall this is allows to handle checking URLs with cookie based
sessions without persisting the cookies to disk, by using the
curl-internal redirect following.
