Web application servers

I actually requested the same feature in the wrong place (sourceforge).
I solved the problem for now with a external script
see
http://www.zabbix.com/forum/showthread.php?p=66059

I also need the functionality to monitor SOAP web services in my organization.

Other headers configuration:

There are scenarios we need to monitor the availability of a Server simulating a mobile access,
thus would be really useful to add an User-Agent option which would accept all major browsers and explode a MSISDN option for mobile phone access simulation.

At the moment I'm using custom script with wget as external check, to be able to post custom headers:
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: WhateverAction
Without those headers soap web services cannot understand the request correctly.

Any love for this request??

Id like to add an additional voice to this feature. I have several web services that I would like to monitor through the Zabbix web monitoring scenarios. Unfortunately the only piece that is preventing me is the ability to send the proper 'Content-Type:' header. With the ability to choose or set the type to application/soap+xml or application/json I would be able to perform all of my monitoring via web scenarios. As it is now I'm doing the checks via external scripts. I like all the built-in metrics I get via web monitoring.

It seems like a drop down with the choices; application/x-www-form-urlencoded, text/xml, application/soap+xml, and application/json would cover better than 80% of the web sites and services out there. A free form text box with the default of application/x-www-form-urlencoded would work as well and keep things backwards consistent/compatible.

Thanks.

+1

I'd like to see that feature. For what I'm using it, it would be great to set the Accept-Language HTTP header in order to clearly define the language for multi-language websites. Otherwise, when the websites' default changes, string tests etc. will fail for sure.

Thank you.

+1

I need to change the header to alter the Host option in other to make it work with vhost sites. If the request is sent to target webserver without this option, the server dosent recognize and shows a forbiden.

~$ curl -H 'Host: my.vhostsome.domain.com' http://webserver:8000/healthcheck

<html>
<body>
WORKING
</body>
</html>

~$ curl http://webserver:8000/healthcheck

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>

~$

Same as above, we have several SOAP interfaces which require different header values.

+1
Same as above, we have several project which require different headers settings.

+1 for me too.

The app I want to monitor returns an OAuth2 token in a JSON response upon login. With the new regex macro functionality in Zabbix 2.2 I can now extract that information from the login response but I need to set "Authorization" and "Cookie" headers with the extracted tokens if I want to be able to request any other pages after login.

I was hoping this ticket would have been fixed while the other Web Monitoring changes were being made.

pls add this feature... it's simple for u! http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTHTTPHEADER

There is a community patch for this on https://www.zabbix.com/forum/showpost.php?p=137347&postcount=12

+1 from me.

I'd love for this to be put into 2.2. We run a lot of multi-server applications that run through a load-balancer. It'd be nice to run web-checks against each node specifically rather than having the load-balancer always redirect us to the same server.

Simple HTTP checks are easy to do with an external script, but having this ability for entire Web Scenarios would make things so much easier.

+1 from me.

Yes +1 please add this. I need it for a monitoring solution I'm putting together for Yahoo. Need to be able to add a multipart Content-Type with boundary, and possibly other headers. I'll try the community patch, hopefully that will work, but it would be nice if it were built in already.

Please implement this. This will make monitoring behind a load balancer so much more straightforward and easier.

It could be really usefull!

Apparently, this feature isn't on the roadmap (see richlv's comment here https://support.zabbix.com/browse/ZBXNEXT-2136) so we're going to bypass the built in web monitoring. This is rather annoying as a result (we may look at using the community supplied patch) due to requirements of our web apps. We have our load balancers add http-headers for various things that are absolutely required for our web applications to function correctly. Since zabbix can't do this natively, we've had to go outside of Zabbix. I'm working on a local script that uses zabbix trappers to do requests and will update the issue once I've got something I can share.

I faced the same issue with some customers who needed to monitor a particular virtual host on different webserver, to work around this limitation, I found particularly useful a nagios plugin called: check_http which accepts a "-H" option in order to pass the required vhost, as well as any other header with the "-k" parameter, it can be easily integrated as external check or UserParameter depending on where you need to start the check from.

ive use the same plugin, but it will be good to have an option in zabbix to do that. Because if i use the plugin i lost the power of web monitoring (steps etc)

Hi,

I have released a patch that applies zabbix 2.2.x version to support custom Headers and custom SSL configuration.
You can find it at http://mamux.org/?p=453

Hi Miguel,
Many thanks for this great patch, we appreciate it!
Since we also need this functionality, please Zabbix add this feature asap to your roadmap!
If you're monitoring in a load balanced environment you're too limited with the standard web monitoring features from zabbix.

+1
Without it monitoring each reverse proxy of our farm it's impossible.

This feature is a MUST.
Many people understand "monitoring" as Web monitoring, and they're right, it's essential. I don't know how to explain to my bosses that Zabbix (our department flagship) can't monitor several nodes of a single web cluster, a very reasonable expectation.

PLEASE add it as soon as possible!, it's not about our particular needs, it's about the success of Zabbix itself!

FWIW, I installed Miguel's patch on 2.2.2 and it works great! I'm now using Zabbix to test the internals of my web application. Please add Miguel's patch to Zabbix core.

Great work, Miguel! Your patch is very nice and clean, it works, however it contains memory leaks (header_slist) and is not complete since it does not support templates. So, guys, please use it with care.

Anyway, the functionality will be implemented in Zabbix 2.4. We are working on it, a specification will be ready very soon. I'll keep you updated.

Thanks Alexei!

I have fixed the memory leak and updated the patches. It was very obvious but I didn't realize at all, sorry (Actually I am a system administrator not a C programmer).

If I have some free time I will try to implement template support too, we need it at work and I am not sure we can wait to 2.4.

Hi again,

I have updated the patches to support templates and added a new patch for 2.2.3 version.

I have detected and fixed an incorrect behaviour between httpsteps. Header information from previous httpsteps were not cleaned correctly. Please update your patches asap

(1) once this is implemented, it should be checked whether ZBXNEXT-385 is solved - if so, it should be closed

<richlv> closed it as a duplicate, CLOSED

(2) once this is implemented, it should be checked whether ZBXNEXT-173 is solved - if so, it should be closed

<richlv> closed it as a duplicate, CLOSED

Specification available at https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-282.

Specification look great. Some suggestions from my web monitoring practice:

1.) New step item - received bytes - "page weight"
Use case: Site with app error is usually lighter as site in standard state. User can define trigger, which will raise event if site has not minimal weight, e.g.: web.test.in[www.site.com,Index,weight]<100000

2.) New item - resolved IP address
Use case: user wants to check if DNS record wasn't changed (problem if your domain has been stolen, poisoned DNS cache, ...)
Or better concept - can you create simple check dns.resolve[<domain>,<timeout>]

3.) Advance time logging
This can be optional/default will be current state (only total time):
curl_easy_perform() provide various times:
-NAMELOOKUP
--CONNECT
---APPCONNECT
----PRETRANSFER
-----STARTTRANSFER
------TOTAL
Also graphs can be updated (stacked subtimes = total time), so from graph can show potential problems in time scale (unusual high namelookup time - problem with DNS, ...). Some user wants to know also first-byte time (STARTTRANSFER) - see forum, so this feature can be useful.
https://www.zabbix.com/forum/showthread.php?t=44933

4.) Upload file
https://www.zabbix.com/forum/showthread.php?t=43387
Use case: user want to test upload feature. Probably this will be possible with custom headers + post params with @ e.g.: filename=@/<absolute_path_on_zabbix_server>/test_file.jpg
But keep this feature safe

from that list, item number 2 seems to be "net.dns.record" (although currently only supported on agents, not as a simple check) : https://www.zabbix.com/documentation/2.2/manual/config/items/itemtypes/zabbix_agent

Implemented and committed in r45104, branch svn://svn.zabbix.com/branches/dev/ZBXNEXT-282.
(3) New translation strings:

• 'Incorrect follow redirects value for step "%1$s" of web scenario "%2$s".'
• 'Incorrect retrieve mode value for step "%1$s" of web scenario "%2$".'
• 'Incorrect SSL verify peer value for web scenario "%1$s".'
• 'Incorrect SSL verify host value for web scenario "%1$s".'
• 'Empty SSL key file for web scenario "%1$s".'
• 'Empty SSL certificate file for web scenario "%1$s".'
• 'Headers'
• 'SSL verify peer'
• 'SSL verify host'
• 'SSL certificate file'
• 'SSL key file'
• 'SSL key password'
• 'Follow redirects'
• 'Retrieve only headers'

Changed translation strings:

• 'Basic authentication' => 'Basic'
• 'NTLM authentication' => 'NTLM'

jelisejev I've removed some of the strings that have already been present in the frontend. CLOSED.

(4) [F] An undefined index error appears after creating a web scenario:

Created: Web scenario "Test" on "Zabbix server".
Undefined variable: httptestid [ in /opt/lampp/htdocs/zabbix/ZBXNEXT-282/frontends/php/httpconf.php:302]

kristsk RESOLVED in r45274.

jelisejev CLOSED.

(5) [F] The "Info" cell is displayed blank for new web scenarios.

kristsk RESOLVED in r45274.

jelisejev

1. The "Info" column should not be displayed for template web scenarios.
2. $httpTestsLastData must only be populated if the "Info" column will be displayed.

kristsk RESOLVED in r45535.

jelisejev CLOSED.

(6) [F] Please add some space between the "page content" and "page headers" radio buttons in the web scenario step configuration form.

jelisejev The space should be added using CSS margin instead of nbsp.

kristsk RESOLVED in r45535.

jelisejev I've decreased the margin to 10px in 45562, please review.

kristsk CLOSED.

(7) [F] The new fields are not inherited when linking a template to a host. How to reproduce:

1. Create a template with a web scenario, fill in all of the scenario fields.
2. Link the template to a host.
3. Open the inherited web scenario on the host, the new fields are empty.

kristsk RESOLVED in r45274.

jelisejev CLOSED.

(8) [F] This note in the spec was a bit misleading: "Headers should be validated to contain max 2048 characters.". This limitation is only applied to Oracle and DB2 databases and the validation is performed for all "text" type fields in DB::checkValueTypes(). So additional validation on the API level is not required.

I've removed the note from the spec.

kristsk RESOLVED in r45274.

<richlv> as discussed, let's return the information in the spec (mentioning that this is handled by the db layer) - functionally, that's important and should be documented

jelisejev Added it to the spec: https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-282#Validation CLOSED.

(9) Regarding CHttpTest::checkSslParameters():

• The checkSslParameters() shouldn't load the "ssl_cert_file" and "ssl_key_file" values itself. They should be passed from the update() method and then added to the input using extendFromObjects(). See how it's done in CHostPrototype::validateUpdate().
• Numeric enum values should be validated using the CSetValidator() instead of in_array().

kristsk RESOLVED in r45535.

jelisejev

1. In CHttpTest::create() if you use references in a foreach loop, it must always be unset after the loop.
2. When using a CSetValidator, you should pass the error to the validator and run it using the CApiService::checkValidator() method.

kristsk RESOLVED in r45655.

jelisejev CLOSED.

(10) Some of the error message should be correct to be more consistent with others:

• "Bad value for "verify_peer" parameter." -> "Incorrect SSL verify peer value for web scenario "%scenarioName%"." (the same for other similar messages);
• "Bad value for "follow_redirects" parameter for step "%1$s"." -> "Incorrect follow redirects value for step "%stepName%" of web scenario "scenarioName"."
• "SSL key file is required for SSL cert file." -> "Empty SSL key file for web scenario "%scenarioName%"."

kristsk RESOLVED in r45535.

jelisejev CLOSED.

(11) The following API request must trigger an error, since it doesn't contain the "ssl_key_file" parameter. Yet, it's executed successfully.

{
    "name": "Homepage check233457",
    "hostid": "10084",
    "ssl_cert_file": "file",
    "steps": [
        {
            "name": "Homepage",
            "url": "http://mycompany.com",
            "status_codes": 200,
            "no": 1
        },
        {
            "name": "Homepage / About",
            "url": "http://mycompany.com/about",
            "status_codes": 200,
            "no": 2
        }
    ]
}

kristsk RESOLVED in r45535.

jelisejev CLOSED.

(12) The following API request triggers an empty error (note the incorrect "follow_redirects" value):

{
    "name": "Homepage check23345756",
    "hostid": "10084",
    "steps": [
        {
            "name": "Homepage",
            "url": "http://mycompany.com",
            "status_codes": 200,
            "no": 1,
            "follow_redirects": 2
        },
        {
            "name": "Homepage / About",
            "url": "http://mycompany.com/about",
            "status_codes": 200,
            "no": 2
        }
    ]
}

kristsk RESOLVED in r45535.

jelisejev CLOSED.

(13) Please also add constants for the "verify_peer", "verify_host" and "follow_redirects" properties.

kristsk RESOLVED in r45535.

jelisejev I've replaced some left over values in r45564, please review.

kristsk CLOSED.

(14) [F] Undefined index.

This error message appears when creating a web scenario with 1 step directly on a host level:

• Undefined index: httptestid [httpconf.php:291 → CFrontendApiWrapper->create() → CApiWrapper->__call() → CFrontendApiWrapper->callMethod() → CApiWrapper->callMethod() → CFrontendApiWrapper->callClientMethod() → CLocalApiClient->callMethod() → call_user_func_array() → CHttpTest->create() → CHttpTest->validateCreate() → CHttpTest->checkSslParameters() in <path hidden>/branches/dev/ZBXNEXT-282/frontends/php/api/classes/CHttpTest.php:783]
• Created: Web scenario "zabbix" on "Zabbix server".

Steps to reproduce:

• choose Web scenario link on a host level
• click Create scenario
• set Name to "zabbix"
• select Steps tab
• click Add to add a step
• set Name and URL to "http://www.zabbix.com"
• click Add
• click Save

Database used: PostgreSQL

kristsk RESOLVED in r45535.

jelisejev CLOSED.

We were discussing today this part of the spec:

Retrieve         (X) page content ( ) page headers   # radio box

Currently the response headers are just ignored. They are fetched, but ignored. Curl offers an option to not fetch the body. So we thought we would add the second option that would skip fetching the body and at the same time use the fetched headers to process against variables and required string (headers are fetched in any case). This would also avoid loading a web server that is being monitored. But now there is a question, is there a use case to use both the headers and the body in a check?

In the case where you use data from a previous step to request a page in the current step I can envisage a situation where you might have a session cookie in a header and something like an authentication key as a hidden field of a login form. You would need to extract both the cookie and the key to provide login credentials.

I think the ability to just retrieve the headers is a good idea but if you choose to retrieve the page content you should have access to the headers as well. Perhaps re-word it in the UI as:

Retrieve         (X) page content and headers ( ) page headers only   # radio box

The default should be to retrieve both.

there definitely is a usecase (matching a session id, which could be either in the page body or header, depending on software version) - but the question is how complicated the solution becomes then.

note that if we do that, we need 3 options - headers only, body only, both

(15) I've made some minor changes in r45468, 45469, 45472 and 45474, please review.

kristsk CLOSED.

(16) In httpconf.php:554 listing the select fields in a separate variable is not a good idea. It splits the query and makes it harder to read.

kristsk RESOLVED in r45535.

jelisejev CLOSED.

(17) In the webscenario configuration form let's change authentication names from "Basic authentication" and "NTLM authentication" to just "Basic" and "NTLM". Then you can also use the httptest_authentications() function in configuration.httpconf.list.php.

kristsk RESOLVED in r45535.

jelisejev Please replace the $authTypeLabels variable with the httptest_authentications() function in configuration.httpconf.list.php.

kristsk RESOLVED in r45658.

jelisejev CLOSED.

(18) In configuration.httpconf.list.php:
1. Trim() is not required in "trim($httpTest['http_proxy'])";
2. To check for a non-empty string we must use "$httpTest['application_name'] !== ''" instead of just "$httpTest['application_name']". Otherwise "0" will not be considered a selected application.
3. We don't skip values in the ternary operator ("$httpTest['application_name'] ?: '-'")

kristsk RESOLVED in r45535.

jelisejev I've made two minor corrections in r45565.

kristsk CLOSED.

(19) The add_httpstep() and update_httpstep() functions should be refactored to accept a whole object instead of so many parameters.

kristsk RESOLVED in r45535.

jelisejev CLOSED.

Shane, I like your idea and it seems to be the best solution at first. But if we think about how this changes current situation (people have everything set up to work with the body only) we might introduce a regression.

(20) Changed translation strings:

• 'Basic authentication' => 'Basic'
• 'NTLM authentication' => 'NTLM'

jelisejev All of the translation changes should be kept in one subissue: (3).

kristsk RESOLVED. Added strings to list (3).

jelisejev CLOSED.

OK as the thing with retrieve (headers, body, both) gets too complicated we decided in the scope of this issue just offer 2 choices:

• retrieve body (current situation, headers are not checked)
• do not retrieve body (nothing is checked)

which will result in a check box:

• Retrieve only page headers [ ]

Not checked by default. If this is checked the "Required string" gets disabled and on clicking "Save" the "Required string" is emptied in the database.

The spec is updated in v1.4 .

<richlv> ouch. are you sure about that ? it sounds pretty useless to me - matching the required string in headers was the main point in doing it at all...

(21) [F] Please implement the changes from the v1.4 version of the spec.

kristsk RESOLVED in r45662.

jelisejev I've committed the changes we've discussed in 45673, otherwise good. CLOSED.

I agree with richlv. We need to search the headers for specific information, particularly if we want to extract and use that information in a later step. By disabling the "Required string" field you turn a "Headers only" web step into nothing more than a fancy HTTP status code checker.

Yes, that's unfortunately how it will go currently. The reason is that in order to implement it nicely and conveniently for users we would need much time for development. We don't want to hold the upcoming release because of this. This issue is basically about giving an option to not load the web server when monitoring (no body). We will implement proper headers parsing in a separate issue. Feel free to create one.

<richlv> would have been nice to have it split out already, but here we go - ZBXNEXT-2315

Frontend TESTED.

(22) once this is finished, let's check that ZBXNEXT-76 is indeed satisfied

<dimir> It is.

CLOSED

(23) let's figure out whether this also fully solves ZBXNEXT-1064

jelisejev Yes, it does. CLOSED.

Server side ready for testing.

(24) [F] Implement changes from the v1.5 version of the spec.

kristsk RESOLVED in r45745.

jelisejev CLOSED.

(25) [F] If a Web scenario does not have any applications, a "0" is shown is "Application" column in Web scenario list.

jelisejev RESOLVED in r45912.

asaveljevs CLOSED.

(26) [PS] jelisejev says that the server side should not assume that "Headers" field has "\r\n" line endings, similarly to how we do not make such assumption in trigger expressions. Instead, all three options ("\n", "\r\n", and "\r") should be supported.

asaveljevs Stylistically, since function "zbx_add_headers" is static, it might make sense to remove "zbx_" prefix.

asaveljevs When you work on it, please review my stylistic fixes in r45829.

dimir Reviewed, thanks. RESOLVED in r45844.

asaveljevs Looks good. Optimized a bit in r45860. CLOSED.

(27) [PS] Since the API does not validate "retries" field properly, it can be set to 0. Therefore, in the following code it might be better to use "less than" rather than test for equality:

/* try to retrieve page several times depending on number of retries */
do
{
	memset(&page, 0, sizeof(page));

	if (CURLE_OK == (err = curl_easy_perform(easyhandle)))
		break;
}
while (0 != --httptest->httptest.retries);

On the other hand, it would not help if a user would set the number of retries to 2000000000. So fixing this on the server side is optional.

dimir Basically I agree that this is better but what I don't like is that still if user sets it to "0" the step gets executed. I think the best would be to change it as you suggested and disallow value less than 1.

dimir Let's still fix the server side the way you suggested. RESOLVED in r45845.

asaveljevs CLOSED.

Hi. First of all I will say that I look forward to this improvement. Then I see that it´s probably too late to comment on this topic to get even more features Personally I miss good features in zabbix to distribute web-monitoring (Have web-monitoring probes that measures web-sites from different locations/subnets). When support for "Node-based distributed monitoring" now is removed in version 2.3.0 I do not see any possibility to get this functionality? Why is all web-monitoring executed from the zabbix-server and not from a chosen zabbix-agent? Or have I missed something?

for the record, zabbix proxies may run web monitoring

(28) [PS] We have three places where a user agent can be defined:

1. "Agent" field in the scenario;
2. "User-Agent: My Agent 1" in scenario headers;
3. "User-Agent: My Agent 2" in step headers.

Headers correctly override the scenario setting. However, if there is a "User-Agent" header on the scenario level and a "User-Agent" header on the step level, then both are sent.

According to http://stackoverflow.com/questions/3096888/standard-for-adding-multiple-values-of-a-single-http-header-to-a-request-or-resp and http://stackoverflow.com/questions/4371328/are-duplicate-http-response-headers-acceptable , this is not legal.

dimir RESOLVED in r45950, r45951, r45952

asaveljevs CLOSED.

(29) [FPS] If retrieve mode is set to "Retrieve only headers", then a HEAD request is sent. In that case, "Post" field, similarly to "Required string", does not seem to make a lot of sense and should be disabled.

jelisejev RESOLVED in r45911. Please document explicitly, that when retrieving only page headers, a HEAD request will be performed instead of GET or POST.

asaveljevs CLOSED.

(30) [I] I have shortened configuration parameter descriptions in r45898, in a way analogous to SSHKeyLocation. dimir, your descriptions were great, but it seems to me such verbose descriptions belong more to the Web documentation.

dimir I agree, CLOSED

(31) [PS] It seems that setting SSLCALocation is now mandatory, which is not good. If SSLCALocation is not set, it would be great to let cURL library use the system default location, as it currently does.

dimir I agree, but this is according to docs. That's why we have defaults.

asaveljevs Just to clarify: in this case, a default value of SSLCALocation=${datadir}/zabbix/ssl/ca hurts, because there is nothing in that directory (in fact, it does not even exist in the default installation). So "Validate peer" will not work until this parameter in server configuration file is set to the system-wide CA directory. If a user never needs custom CA, this seems suboptimal.

asaveljevs By the way, a user might wish to specify several directories, because she is likely to want both standard CAs and custom CAs.

dimir Good point, I was also thinking about it but let's leave it for the future.

So, after discussion we decided that by default SSLCALocation will be empty in which case CURLOPT_CAPATH will not be set which means curl should use system CA location.

dimir RESOLVED in r45946, r45947.

asaveljevs I have replaced "If empty ..." with "If not set ..." in r45964, because an empty location is invalid. CLOSED.

(32) Documentation for CURLOPT_CAPATH (http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTCAPATH) says that it is only supported for libcurl built with OpenSSL. In Zabbix documentation, it might be proper to document that SSLCALocation only has effect if libcurl was built to use OpenSSL.

dimir Fixed here:

https://www.zabbix.com/documentation/2.4/manual/appendix/config/zabbix_server
https://www.zabbix.com/documentation/2.4/manual/appendix/config/zabbix_proxy

RESOLVED

martins-v CLOSED.

(33) I've updated the branch to the latest trunk in 45976. There were a lot of conflicts in CHttpTest.php, please review.

iivs Looks ok. I've made minor changes in r45994. Please review.

jelisejev Thanks, CLOSED.

Available in 2.3.1 r46006.

(34) I've updated the API docs:

• web scenario object reference - https://www.zabbix.com/documentation/2.4/manual/api/reference/httptest/object
• httptest.get example - https://www.zabbix.com/documentation/2.4/manual/api/reference/httptest/get

martins-v Somewhat expanded by dimir regarding PEM format needed. Reviewed. CLOSED.

(35) Hi guys,
I compiled rev 45994 yesterday. I tested it, because SSL cert feature. I've had issue: "Problem with the local SSL certificate." (It's not real Zabbix issue), probably because I've used wrong location for my certs. I've used DebugLevel 4, but I didn't see in debug output, which filepath for SSL certs/files is used. Could you print these details to debug output please?
For example:

zabbix_log(LOG_LEVEL_DEBUG, "Used SSL certificate file:'%s'", file_name);
zabbix_log(LOG_LEVEL_DEBUG, "Used SSL key file:'%s'", file_name);

Thx.

dimir Good point. RESOLVED in r46354

asaveljevs CLOSED.

(36) Finally it works for me. It'll be fine, if you mention that only PEM certs are allowed for SSL auth, because libcurl.
I have only p12 key, so was not successful. But when I converted p12(.pkcs12 .pfx .p12) SSL key to PEM format, then it was OK:

openssl pkcs12 -in ssl-cert.p12 -clcerts -nokeys -out ssl-cert.pem
openssl pkcs12 -in ssl-cert.p12 -nocerts -nodes  -out ssl-cert.key

dimir Another good point. It was mentioned in the specs that we support only PEM, seems we've missed it in the docs. Fixed at

https://www.zabbix.com/documentation/2.4/manual/web_monitoring
https://www.zabbix.com/documentation/2.4/manual/api/reference/httptest/object

RESOLVED

<richlv> changed 'next' to 'the following' - other than that looks good to me, but i'll leave this open for maartinjsh

martins-v Reviewed, CLOSED.

(37) user documentation seems to be partially/mostly updated in whatsnew and webmon sections. a few notes :

• see (32) above
• https://www.zabbix.com/documentation/2.4/manual/web_monitoring says "When running a web scenario, Zabbix always follows redirects." - i believe that's outdated and can be simply removed ?
• i couldn't find the detail that redirects are limited to a hardcoded limit of 10

dimir Fixed at

https://www.zabbix.com/documentation/2.4/manual/web_monitoring

While at it please check the mentioned in (32) links for the new 3 server and proxy config SSL parameters.

RESOLVED

martins-v Reviewed. Apparently can be CLOSED.

Hy,

When I add a big post in a step scenario, for example, the following:

<getRoute>
    <rs>
        <RouteStop>
            <description>Rua Funchal, 129</description>
            <point>
                <x>-46.6867705</x>
                <y>-23.5924345</y>
            </point>
        </RouteStop>
        <RouteStop>
            <description>Avenida Paulista, 129</description>
            <point>
                <x>-46.645769</x>
                <y>-23.5701859</y>
            </point>
        </RouteStop>
    </rs>
    <ro>
        <language>portugues</language>
        <routeDetails>
            <descriptionType>0</descriptionType>
            <routeType>1</routeType>
            <optimizeRoute>true</optimizeRoute>
            <poiRoute />
            <barriersList />
            <barrierPoints />
        </routeDetails>
        <vehicle>
            <tankCapacity>10</tankCapacity>
            <averageConsumption>1</averageConsumption>
            <fuelPrice>3</fuelPrice>
            <averageSpeed>50</averageSpeed>
            <tollFeeCat>1</tollFeeCat>
        </vehicle>
    </ro>
    <token>SEU-TOKEN</token>
</getRoute>

when I save, it seems that the caractheres isn`t in the field, but actually if you check the URL of the step scenario, the post is in the field, could you check, please.

(38) whatsnew barely mentions ssl auth ("This tab holds new options for controlling SSL certificates") - it should explain a bit more and also have a screenshot

martins-v The entry in 'what's new' expanded a bit:

• https://www.zabbix.com/documentation/2.4/manual/introduction/whatsnew240#ssl_verification_and_authentication_options

<richlv> thanks, CLOSED

(39) spec says all 3 new parameters are mandatory, in the config file SSLCALocation is listed as a not mandatory one

martins-v Or is it that all 3 are listed as not mandatory?

<richlv> well, duh - indeed, config file completely contradicts the spec

<dimir> Fixed in the spec. The parameters are all optional.

CLOSED

(40)

1. Location of certificate authority (CA) files for SSL server certificate verification.
2. If not set, system-wide directory will be used.
3. This parameter is used only in Web monitoring.

i'd suggest to be a bit more specific that this param overrides systemwide certs. maybe :

Override the location of certificate authority (CA) files for SSL server certificate verification.

?

<dimir> Changed as you suggested:

### Option: SSLCALocation                                                                                                                                                                                                                      
#       Override the location of certificate authority (CA) files for SSL server certificate verification.                                                                                                                                     
#       If not set, system-wide directory will be used.                                                                                                                                                                                        
#       This parameter is used only in Web monitoring.                                                                                                                                                                                         
#                                                                                                                                                                                                                                              
# Mandatory: no                                                                                                                                                                                                                                
# Default:                                                                                                                                                                                                                                     
# SSLCALocation=

RESOLVED in r48266

wiper CLOSED

(41) for me, "verify host" option only works if "verify peer" is enabled.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html says "If libcurl is built against NSS and CURLOPT_SSL_VERIFYPEER is zero, CURLOPT_SSL_VERIFYHOST is also set to zero and cannot be overridden.", but my curl is compiled against openssl.
is there a known combo where "verify host" would work without "verify peer" ? if not, maybe 'host' checkbox should be only enabled when 'peer' one is marked ?

<dimir> Yes, I successfully tested host verification without peer verification. The error message is weird though:

SSL peer certificate or SSH remote key was not OK

But it comes straight from libcurl.

CLOSED

<richlv> could you please clarify which ssl library your libcurl is built against ? REOPENED

<dimir> Yes, I could use the host verification feature in both cases with enabled and disabled peer verification. The error message I get when subject of my server cert does not match host I'm monitoring is:

SSL peer certificate or SSH remote key was not OK: SSL: certificate subject name 'foo' does not match target host name 'bar'

$ dpkg -l '*curl*-dev' | grep ^ii
ii  libcurl4-openssl-dev                  7.26.0-1+wheezy9           (OpenSSL flavour)

RESOLVED

<richlv> thanks, CLOSED

(42) let's document that "Zabbix server picks up changes in certificates without a restart" or similar (but please doublecheck that, maybe i missed something in my tests)

<dimir> That's right. Added notes (see 2 last notes below the table):

https://www.zabbix.com/documentation/2.4/manual/web_monitoring#configuring_authentication

RESOLVED

<richlv> thanks - i removed "for the record" as it did not seem to provide that much useful info.

unless there are any objections, CLOSED

(43) i couldn't spot in the manual any info that by default systemwide certs are used and that overriding is possible with the server config param SSLCALocation
in general, there's a lot of nice detail in the spec that are missing in the manual - for example, CURLOPT options, "user-agent" example - maybe more

<dimir> Added information about CURLOPT_*, SSLCALocation, SSLCertLocation and SSLKeyLocation, User-Agent example:

https://www.zabbix.com/documentation/2.4/manual/web_monitoring#configuring_authentication

RESOLVED

<richlv> looking really good, a few more changes to review :

• ordering was slightly inconsistent, i changed it
• manual claimed only server had those params, i changed it to reference proxy, too
• i also added curlopt for "Retrieve only headers", "Follow redirects" and redirect count (CURLOPT_MAXREDIRS)

<dimir> Objection about the ordering. I had the macros exactly that way before I realized the ordering is screwed. I really like more when the macros are just befor the note about the version the feature appears in. Because noting the curl option and describing the feature look so connected to me.

<dimir> Added few more things:

• described host verification in more detail
• external links to CURLOPT_*

Please close if satisfied.

<richlv> thanks for curlopt links. minor grammar/style/formatting updates, CLOSED

(44) frontend strips leading/trailing spaces from "SSL key password" - that's a perfectly valid password, we should leave spaces as-is
for the record, server seems to work perfectly with all the weird passwords i throw at it

kristsk RESOLVED in r47537.

oleg.egorov CLOSED

(45) frontend disallows to save scenario with empty key file and non-empty password :
"Empty SSL key file for web scenario"
that is wrong and does not allow using key + certificate in a single file (which is allowed for passwordless keys).

it also looks like server does not handle this properly, if my direct db editing was correct

kristsk

New strings:

• 'SSL key file or password specified without SSL certificate file in web scenario "%1$s".'

Removed strings:

• 'Empty SSL key file for web scenario "%1$s".'
• 'Empty SSL certificate file for web scenario "%1$s".'

[F] RESOLVED in r47542.

oleg.egorov CLOSED

<richlv> was server side really tested and found to be working properly ? if so, why was it not mentioned here ?

<dimir> REOPENED. Additionally, in the error message the "for web scenario..." looks redundant to me. I'd simply go with

"SSL key file or password specified without SSL certificate file"

Testing the server side now.

<dimir> Yes, it works just with the certificate file, containing the key.

For the record, I have spent quite some time trying to figure out how to combine certificate and private key with openssl but the solution appeared to be ridiculously simple:

cat client.crt client.key > client.pem

CLOSED

<richlv> as discussed on irc... server does not seem to work properly with certificate & key in the same file if the key is password-protected.
commandline curl works just fine with such a combo, and zabbix should as well.
REOPENED

<dimir> That's right, this wasn't implemented.

Added information about using client certificate file combined with private key:

https://www.zabbix.com/documentation/2.4/manual/web_monitoring#configuring_authentication

RESOLVED in r48305

wiper CLOSED

(46) spec says "Also maximum size of URL will be increased to 2048 characters."
this does not seem to be mentioned in whatsnew
should also be mentioned in https://www.zabbix.com/documentation/2.4/manual/web_monitoring

martins-v Added to:

• https://www.zabbix.com/documentation/2.4/manual/introduction/whatsnew240#ability_to_specify_custom_headers_for_web_monitoring
• https://www.zabbix.com/documentation/2.4/manual/web_monitoring

RESOLVED.

<richlv> thanks, CLOSED

(47) frontend disallows to save scenario w/o certificate but with key password - that seems to be valid, but the spec does not mention such a check

kristsk Updated specification https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-282#Web_scenario. RESOLVED.

<richlv> looks good to me, thanks. CLOSED

(48) authentication tab is highly confusing.
a) first dropdown is named the same as tab;
b) ssl also is authentication;
c) when username/password fields are shown, it is absolutely unclear that they are controlled by the first dropdown

as a simple solution i'd propose :
1) rename label for the first dropdown to "HTTP authentication"
2) clarify that username/pass fields belong to that dropdown (i'd use the approach we use in map element properties, but whatever)
3) don't hide/show these fields, just disable them when auth is set to "none" (this will also get rid of page reloads)

jelisejev 2) How about we just add some space between the password and verify host checkbox rows?

<richlv> that does not give a visual cue that input fields are controlled by the dropdown, just that they might be somehow related.

kristsk Fixed to the best of my understanding. RESOLVED in r47566.

oleg.egorov CLOSED

[F] RESOLVED.

(49) [F] Coding style:

• configuration.httpconf.edit.js.php:200

  var httpFieldsDisabled = $(this).val() == 0; // 0 == HTTPTEST_AUTH_NONE
  

Remove comment and use

var httpFieldsDisabled = $(this).val() == <?php echo HTTPTEST_AUTH_NONE; ?>;

• configuration.httpconf.edit.js.php:205
  Add space after IF

• configuration.httpconf.edit.php:159, 161
  Add spaces before and after "="

kristsk RESOLVED in r47709.

oleg.egorov CLOSED

(50) [F]
Error message:

SSL key file or password specified without SSL certificate file in web scenario "1$s".

Incorrect name: 1$s
Should be: %1$s

kristsk RESOLVED in r47711. Updated changed translation strings comment.

oleg.egorov CLOSED

[F] TESTED

for the record, minor capitalisation fix in r48147.

(51) [PS] Enable more verbosity in the error message when curl fails to connect.

I have found an interesting case today, libcurl acts differently when it's compiled against OpenSSL and GNU TLS. I wasn't able to make it use client certificate and encrypted private key without server certificate verification. Weird, with libcurl compiled against GNU TLS you get an error:

error reading X.509 key or certificate file

. And this goes away if you switch to libcurl with OpenSSL flavour. On a Debian-based system you need to change from libcurl4-gnutls-dev to libcurl4-openssl-dev. Enabling verbosity helped in this case thus I propose to add this patch, r48295. Besides, this patch sets CAPATH only if we want to verify peer. This was mentioned in the docs:

http://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html

Enabling more details in error message involves using some curl constants (CURLOPT_ERRORBUFFER, CURL_ERROR_SIZE), I have checked curl version we require (7.13.1) and it contains those.

RESOLVED in r48295

asaveljevs Note that client certificates working only with OpenSSL was mentioned in (32) and we already have a documentation note about it.

wiper CLOSED, please review small changes in r48510

Additional fixes (allow specifying client private key password when private key is in the same file as client certificate) available in 2.3.4 (trunk) r48523.

I'm seeing that headers have been implemented, but the Host one doesn't seem to work properly. 

When I try setting the Host header, the check is executed against that URL instead of the one defined in the steps.    

ran more debugging, it was the second step in the scenario that was failing.