[ZBX-11864] Standard HTTPS check fails on IPv6 Created: 2017 Mar 02  Updated: 2024 Apr 10  Resolved: 2017 Mar 20

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Proxy (P), Server (S)
Affects Version/s: 3.2.3
Fix Version/s: 2.2.18rc1, 3.0.9rc1, 3.2.5rc1, 3.4.0alpha1

Type: Incident report Priority: Minor
Reporter: Roy Sigurd Karlsbakk Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: https
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

CentOS 7

Team: Team C
Sprint: Sprint 3
Story Points: 1.5

 Description   

We have IPv6 on most of our equipment, and some machines run totally on v6. I added a couple of servers to my Zabbix test setup, and the HTTPS check failed. This was both a machine on IPv6 only, and another with dualstack. On all dualstack machines, IPv6 is preferred. From the logs, I found this

check_https: curl_easy_perform failed for [2001:x:y:z::205:443]: URL using bad/illegal format or missing URL

:443 should be outside [], like [2001:x:y:z::205]:443

More logs below

  1820:20170301:231844.546 In substitute_simple_macros() data:EMPTY
  1820:20170301:231844.546 In substitute_simple_macros() data:EMPTY
  1820:20170301:231844.546 In get_value() key:'net.tcp.service[https]'
  1820:20170301:231844.546 In get_value_simple() key_orig:'net.tcp.service[https]' addr:'2001:x:y:z::205'
  1820:20170301:231844.547 check_https: curl_easy_perform failed for [2001:x:y:z::205:443]: URL using bad/illegal format or missing URL
  1820:20170301:231844.547 End of get_value_simple():SUCCEED
  1820:20170301:231844.547 End of get_value():SUCCEED
  1820:20170301:231844.547 In activate_host() hostid:10115 itemid:53744 type:3
  1820:20170301:231844.547 End of activate_host()


 Comments   
Comment by Roy Sigurd Karlsbakk [ 2017 Mar 02 ]

As commented on IRC

23:42 < volter > RoyK: I wonder, does it also happen if you specify a name that resolves to an IPv6 address?

It doesn't, that is, it works with choosing "Connect to DNS"

Comment by richlv [ 2017 Mar 02 ]

...and as further discussed on IRC, it's just that Zabbix does not include the IP address in square brackets when ipv6 address is used together with port

Comment by Glebs Ivanovskis (Inactive) [ 2017 Mar 06 ]

The problem is not that port is put inside "[...]" but that "[...]" are not put around IPv6 address (URL and port are set with independent curl_easy_setopt()). Misleading log message can be improved too:

		zabbix_log(LOG_LEVEL_DEBUG, "%s: curl_easy_perform failed for [%s:%hu]: %s",
				__function_name, host, port, curl_easy_strerror(err));

As a workaround you can try net.tcp.service[https,"[{HOST.IP}]"].

Comment by Andrea Biscuola (Inactive) [ 2017 Mar 09 ]

Fixed in svn://svn.zabbix.com/branches/dev/ZBX-11864

Added an explicit check in the check_https() function located in ./src/libs/zbxsysinfo/simple/simple.c:167.
Improved also the failure message in case the check will fail.

Comment by Andris Zeila [ 2017 Mar 14 ]

Successfully tested

Comment by Glebs Ivanovskis (Inactive) [ 2017 Mar 14 ]

(1) I think libcurl will handle URL with IPv6 address even if Zabbix is compiled without --enable-ipv6 option.

abs Of course it boils down on how the customer compiled LibCURL itself (or how it was packaged by the distributor of the system you are using), Do you think we should explicitly deny the functionality IF we encounter an IPv6 address, in the case zabbix is compiled without IPv6 support (BTW, the converse is also true. There is the potential case where Zabbix will be compiled with IPv6 support and LibCURL not)?

glebs.ivanovskis I think that since Zabbix does not do any IPv6 work in this case (except validation and wrapping in "[...]") we should always pass URL to libcurl and see what happens.

abs Make sense, if we get rid of the HAVE_IPV6 check:

#ifdef HAVE_IPV6
	if (SUCCEED == is_ip6(host))
		zbx_snprintf(https_host, sizeof(https_host), "%s[%s]", (0 == strncmp(host, "https://", 8) ? "" : "https://"), host);
	else
#endif
		zbx_snprintf(https_host, sizeof(https_host), "%s%s", (0 == strncmp(host, "https://", 8) ? "" : "https://"), host);

In the worst case the communication between server and agent will not work, but the https checks yes. So, going to get rid of the pre-processor check

abs FIXED in r66360

wiper The is_ip6() function is no defined without HAVE_IPV6 define
REOPENED

abs Right, completely forgot that we can't use that without the HAVE_IPV6 flag glebs.ivanovskis, we must keep the implementation as it was, unless we move the is_ip6() function out from the HAVE_IPV6 range, but this doesn't make sense. IMHO, leave the HAVE_IPV6 condition as it was.

abs Fixed in 66370

Reverted last commit to previous state. Keep the HAVE_IPV6 as conditional compilation

wiper Actually I liked Gleb's idea, so I thought we could simply remove HAVE_IPV6 define for is_ip6() function.

abs RESOLVED in r66373

Me, glebs.ivanovskis and wiper agreed that it's a good idea to have the is_ip6() function generally available.

wiper CLOSED

Comment by Andris Zeila [ 2017 Mar 14 ]

Successfully tested

Comment by Andrea Biscuola (Inactive) [ 2017 Mar 15 ]

Fixed in:

  • 2.2.18rc1
  • 3.0.9rc1
  • 3.2.5rc1
  • 3.4.0alpha1 (trunk)
Generated at Tue Jan 07 15:36:45 EET 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.