exposing curl options for web monitoring
(ZBXNEXT-403)
|
|
Status: | Closed |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | Frontend (F), Proxy (P), Server (S) |
Affects Version/s: | None |
Fix Version/s: | 2.3.1 |
Type: | Change Request (Sub-task) | Priority: | Minor |
Reporter: | Paweł Sasin | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 59 |
Labels: | flexibility, webmonitoring | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Web application servers |
Issue Links: |
|
Description |
I have to monitor a picky webapp. It's a java app, reachable via HTTP. It expects a POST with Content-Type with one of the following:
Zabbix queries the webapp with a POST, which content type is set to 'application/x-www-form-urlencoded' (the default from libcurl), and the app responds with an error because of the content-type header. Is there a possibility to add custom headers to httpstep or httptest? libcurl is very flexible in that matter (http://curl.haxx.se/libcurl/c/curl_e...LOPTHTTPHEADER). It could be a simple field where one could insert his own headers, ie:
Specification: https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-282 |
Comments |
Comment by Brad Langhorst [ 2010 Jun 14 ] |
I actually requested the same feature in the wrong place (sourceforge). |
Comment by Arli [ 2010 Oct 18 ] |
I also need the functionality to monitor SOAP web services in my organization. |
Comment by João Figueiredo [ 2010 Nov 03 ] |
Other headers configuration: There are scenarios we need to monitor the availability of a Server simulating a mobile access, |
Comment by Arli [ 2010 Nov 20 ] |
At the moment I'm using custom script with wget as external check, to be able to post custom headers: |
Comment by Christopher Ferraro [ 2012 Oct 13 ] |
Any love for this request?? |
Comment by Joel Reed [ 2013 Mar 21 ] |
Id like to add an additional voice to this feature. I have several web services that I would like to monitor through the Zabbix web monitoring scenarios. Unfortunately the only piece that is preventing me is the ability to send the proper 'Content-Type:' header. With the ability to choose or set the type to application/soap+xml or application/json I would be able to perform all of my monitoring via web scenarios. As it is now I'm doing the checks via external scripts. I like all the built-in metrics I get via web monitoring. It seems like a drop down with the choices; application/x-www-form-urlencoded, text/xml, application/soap+xml, and application/json would cover better than 80% of the web sites and services out there. A free form text box with the default of application/x-www-form-urlencoded would work as well and keep things backwards consistent/compatible. Thanks. |
Comment by Tom M. [ 2013 May 03 ] |
+1 I'd like to see that feature. For what I'm using it, it would be great to set the Accept-Language HTTP header in order to clearly define the language for multi-language websites. Otherwise, when the websites' default changes, string tests etc. will fail for sure. Thank you. |
Comment by Filipe Paternot [ 2013 May 17 ] |
+1 I need to change the header to alter the Host option in other to make it work with vhost sites. If the request is sent to target webserver without this option, the server dosent recognize and shows a forbiden. ~$ curl -H 'Host: my.vhostsome.domain.com' http://webserver:8000/healthcheck <html> <body> WORKING </body> </html> ~$ curl http://webserver:8000/healthcheck <html> <head><title>400 Bad Request</title></head> <body bgcolor="white"> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> ~$ |
Comment by Stephen Dayman [ 2013 Jun 05 ] |
Same as above, we have several SOAP interfaces which require different header values. |
Comment by Alexandr Milushev [ 2013 Jul 11 ] |
+1 |
Comment by Shane McEwan [ 2013 Jul 23 ] |
+1 for me too. The app I want to monitor returns an OAuth2 token in a JSON response upon login. With the new regex macro functionality in Zabbix 2.2 I can now extract that information from the login response but I need to set "Authorization" and "Cookie" headers with the extracted tokens if I want to be able to request any other pages after login. I was hoping this ticket would have been fixed while the other Web Monitoring changes were being made. |
Comment by yayo [ 2013 Jul 26 ] |
pls add this feature... it's simple for u! http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTHTTPHEADER |
Comment by Corey Shaw [ 2013 Sep 11 ] |
There is a community patch for this on https://www.zabbix.com/forum/showpost.php?p=137347&postcount=12 |
Comment by David Dyball [ 2013 Oct 23 ] |
+1 from me. I'd love for this to be put into 2.2. We run a lot of multi-server applications that run through a load-balancer. It'd be nice to run web-checks against each node specifically rather than having the load-balancer always redirect us to the same server. Simple HTTP checks are easy to do with an external script, but having this ability for entire Web Scenarios would make things so much easier. |
Comment by luca bianchi [ 2013 Nov 21 ] |
+1 from me. |
Comment by Michael Martinez [ 2013 Dec 06 ] |
Yes +1 please add this. I need it for a monitoring solution I'm putting together for Yahoo. Need to be able to add a multipart Content-Type with boundary, and possibly other headers. I'll try the community patch, hopefully that will work, but it would be nice if it were built in already. |
Comment by Phil Majewski [ 2013 Dec 10 ] |
Please implement this. This will make monitoring behind a load balancer so much more straightforward and easier. |
Comment by Roman Aksyonov [ 2013 Dec 20 ] |
It could be really usefull! |
Comment by Jason McIntosh [ 2014 Feb 03 ] |
Apparently, this feature isn't on the roadmap (see richlv's comment here https://support.zabbix.com/browse/ZBXNEXT-2136) so we're going to bypass the built in web monitoring. This is rather annoying as a result (we may look at using the community supplied patch) due to requirements of our web apps. We have our load balancers add http-headers for various things that are absolutely required for our web applications to function correctly. Since zabbix can't do this natively, we've had to go outside of Zabbix. I'm working on a local script that uses zabbix trappers to do requests and will update the issue once I've got something I can share. |
Comment by Gabriele Armao [ 2014 Feb 03 ] |
I faced the same issue with some customers who needed to monitor a particular virtual host on different webserver, to work around this limitation, I found particularly useful a nagios plugin called: check_http which accepts a "-H" option in order to pass the required vhost, as well as any other header with the "-k" parameter, it can be easily integrated as external check or UserParameter depending on where you need to start the check from. |
Comment by ale perretta [ 2014 Feb 04 ] |
ive use the same plugin, but it will be good to have an option in zabbix to do that. Because if i use the plugin i lost the power of web monitoring (steps etc) |
Comment by Miguel Martín [ 2014 Feb 12 ] |
Hi, I have released a patch that applies zabbix 2.2.x version to support custom Headers and custom SSL configuration. |
Comment by Peter Baumann [ 2014 Feb 12 ] |
Hi Miguel, |
Comment by Leonardo Arena [ 2014 Mar 13 ] |
+1 |
Comment by Naruto [ 2014 Mar 18 ] |
This feature is a MUST. PLEASE add it as soon as possible!, it's not about our particular needs, it's about the success of Zabbix itself! |
Comment by Shane McEwan [ 2014 Mar 18 ] |
FWIW, I installed Miguel's patch on 2.2.2 and it works great! I'm now using Zabbix to test the internals of my web application. Please add Miguel's patch to Zabbix core. |
Comment by Alexei Vladishev [ 2014 Mar 27 ] |
Great work, Miguel! Your patch is very nice and clean, it works, however it contains memory leaks (header_slist) and is not complete since it does not support templates. So, guys, please use it with care. Anyway, the functionality will be implemented in Zabbix 2.4. We are working on it, a specification will be ready very soon. I'll keep you updated. |
Comment by Miguel Martín [ 2014 Mar 28 ] |
Thanks Alexei! I have fixed the memory leak and updated the patches. It was very obvious but I didn't realize at all, sorry (Actually I am a system administrator not a C programmer). If I have some free time I will try to implement template support too, we need it at work and I am not sure we can wait to 2.4. |
Comment by Miguel Martín [ 2014 Apr 07 ] |
Hi again, I have updated the patches to support templates and added a new patch for 2.2.3 version. |
Comment by Miguel Martín [ 2014 Apr 17 ] |
I have detected and fixed an incorrect behaviour between httpsteps. Header information from previous httpsteps were not cleaned correctly. Please update your patches asap |
Comment by richlv [ 2014 Apr 28 ] |
(1) once this is implemented, it should be checked whether <richlv> closed it as a duplicate, CLOSED |
Comment by richlv [ 2014 Apr 28 ] |
(2) once this is implemented, it should be checked whether <richlv> closed it as a duplicate, CLOSED |
Comment by Pavels Jelisejevs (Inactive) [ 2014 Apr 30 ] |
Specification available at https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-282. |
Comment by Jan Garaj [ 2014 Apr 30 ] |
Specification look great. Some suggestions from my web monitoring practice: 1.) New step item - received bytes - "page weight" 2.) New item - resolved IP address 3.) Advance time logging 4.) Upload file |
Comment by richlv [ 2014 Apr 30 ] |
from that list, item number 2 seems to be "net.dns.record" (although currently only supported on agents, not as a simple check) : https://www.zabbix.com/documentation/2.2/manual/config/items/itemtypes/zabbix_agent |
Comment by Krists Krigers (Inactive) [ 2014 May 06 ] |
Implemented and committed in r45104, branch svn://svn.zabbix.com/branches/dev/ZBXNEXT-282.
Changed translation strings:
jelisejev I've removed some of the strings that have already been present in the frontend. CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 07 ] |
(4) [F] An undefined index error appears after creating a web scenario: Created: Web scenario "Test" on "Zabbix server". Undefined variable: httptestid [ in /opt/lampp/htdocs/zabbix/ZBXNEXT-282/frontends/php/httpconf.php:302] kristsk RESOLVED in r45274. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 07 ] |
(5) [F] The "Info" cell is displayed blank for new web scenarios. kristsk RESOLVED in r45274.
kristsk RESOLVED in r45535. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 08 ] |
(6) [F] Please add some space between the "page content" and "page headers" radio buttons in the web scenario step configuration form. jelisejev The space should be added using CSS margin instead of nbsp. kristsk RESOLVED in r45535. jelisejev I've decreased the margin to 10px in 45562, please review. kristsk CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 09 ] |
(7) [F] The new fields are not inherited when linking a template to a host. How to reproduce:
kristsk RESOLVED in r45274. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 09 ] |
(8) [F] This note in the spec was a bit misleading: "Headers should be validated to contain max 2048 characters.". This limitation is only applied to Oracle and DB2 databases and the validation is performed for all "text" type fields in DB::checkValueTypes(). So additional validation on the API level is not required. I've removed the note from the spec. kristsk RESOLVED in r45274. <richlv> as discussed, let's return the information in the spec (mentioning that this is handled by the db layer) - functionally, that's important and should be documented jelisejev Added it to the spec: https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-282#Validation CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 13 ] |
(9) Regarding CHttpTest::checkSslParameters():
kristsk RESOLVED in r45535.
kristsk RESOLVED in r45655. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 13 ] |
(10) Some of the error message should be correct to be more consistent with others:
kristsk RESOLVED in r45535. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 13 ] |
(11) The following API request must trigger an error, since it doesn't contain the "ssl_key_file" parameter. Yet, it's executed successfully. { "name": "Homepage check233457", "hostid": "10084", "ssl_cert_file": "file", "steps": [ { "name": "Homepage", "url": "http://mycompany.com", "status_codes": 200, "no": 1 }, { "name": "Homepage / About", "url": "http://mycompany.com/about", "status_codes": 200, "no": 2 } ] } kristsk RESOLVED in r45535. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 13 ] |
(12) The following API request triggers an empty error (note the incorrect "follow_redirects" value): { "name": "Homepage check23345756", "hostid": "10084", "steps": [ { "name": "Homepage", "url": "http://mycompany.com", "status_codes": 200, "no": 1, "follow_redirects": 2 }, { "name": "Homepage / About", "url": "http://mycompany.com/about", "status_codes": 200, "no": 2 } ] } kristsk RESOLVED in r45535. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 13 ] |
(13) Please also add constants for the "verify_peer", "verify_host" and "follow_redirects" properties. kristsk RESOLVED in r45535. jelisejev I've replaced some left over values in r45564, please review. kristsk CLOSED. |
Comment by dimir [ 2014 May 13 ] |
(14) [F] Undefined index. This error message appears when creating a web scenario with 1 step directly on a host level:
Steps to reproduce:
Database used: PostgreSQL kristsk RESOLVED in r45535. jelisejev CLOSED. |
Comment by dimir [ 2014 May 13 ] |
We were discussing today this part of the spec: Retrieve (X) page content ( ) page headers # radio box Currently the response headers are just ignored. They are fetched, but ignored. Curl offers an option to not fetch the body. So we thought we would add the second option that would skip fetching the body and at the same time use the fetched headers to process against variables and required string (headers are fetched in any case). This would also avoid loading a web server that is being monitored. But now there is a question, is there a use case to use both the headers and the body in a check? |
Comment by Shane McEwan [ 2014 May 13 ] |
In the case where you use data from a previous step to request a page in the current step I can envisage a situation where you might have a session cookie in a header and something like an authentication key as a hidden field of a login form. You would need to extract both the cookie and the key to provide login credentials. I think the ability to just retrieve the headers is a good idea but if you choose to retrieve the page content you should have access to the headers as well. Perhaps re-word it in the UI as: Retrieve (X) page content and headers ( ) page headers only # radio box The default should be to retrieve both. |
Comment by richlv [ 2014 May 13 ] |
there definitely is a usecase (matching a session id, which could be either in the page body or header, depending on software version) - but the question is how complicated the solution becomes then. note that if we do that, we need 3 options - headers only, body only, both |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 14 ] |
(15) I've made some minor changes in r45468, 45469, 45472 and 45474, please review. kristsk CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 14 ] |
(16) In httpconf.php:554 listing the select fields in a separate variable is not a good idea. It splits the query and makes it harder to read. kristsk RESOLVED in r45535. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 14 ] |
(17) In the webscenario configuration form let's change authentication names from "Basic authentication" and "NTLM authentication" to just "Basic" and "NTLM". Then you can also use the httptest_authentications() function in configuration.httpconf.list.php. kristsk RESOLVED in r45535. jelisejev Please replace the $authTypeLabels variable with the httptest_authentications() function in configuration.httpconf.list.php. kristsk RESOLVED in r45658. jelisejev CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 14 ] |
(18) In configuration.httpconf.list.php: kristsk RESOLVED in r45535. jelisejev I've made two minor corrections in r45565. kristsk CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 14 ] |
(19) The add_httpstep() and update_httpstep() functions should be refactored to accept a whole object instead of so many parameters. kristsk RESOLVED in r45535. jelisejev CLOSED. |
Comment by dimir [ 2014 May 14 ] |
Shane, I like your idea and it seems to be the best solution at first. But if we think about how this changes current situation (people have everything set up to work with the body only) we might introduce a regression. |
Comment by Krists Krigers (Inactive) [ 2014 May 15 ] |
(20) Changed translation strings:
jelisejev All of the translation changes should be kept in one subissue: (3). kristsk RESOLVED. Added strings to list (3). jelisejev CLOSED. |
Comment by dimir [ 2014 May 16 ] |
OK as the thing with retrieve (headers, body, both) gets too complicated we decided in the scope of this issue just offer 2 choices:
which will result in a check box:
Not checked by default. If this is checked the "Required string" gets disabled and on clicking "Save" the "Required string" is emptied in the database. The spec is updated in v1.4 . <richlv> ouch. are you sure about that ? it sounds pretty useless to me - matching the required string in headers was the main point in doing it at all... |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 16 ] |
(21) [F] Please implement the changes from the v1.4 version of the spec. kristsk RESOLVED in r45662. jelisejev I've committed the changes we've discussed in 45673, otherwise good. CLOSED. |
Comment by Shane McEwan [ 2014 May 16 ] |
I agree with richlv. We need to search the headers for specific information, particularly if we want to extract and use that information in a later step. By disabling the "Required string" field you turn a "Headers only" web step into nothing more than a fancy HTTP status code checker. |
Comment by dimir [ 2014 May 21 ] |
Yes, that's unfortunately how it will go currently. The reason is that in order to implement it nicely and conveniently for users we would need much time for development. We don't want to hold the upcoming release because of this. This issue is basically about giving an option to not load the web server when monitoring (no body). We will implement proper headers parsing in a separate issue. Feel free to create one. <richlv> would have been nice to have it split out already, but here we go - |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 21 ] |
Frontend TESTED. |
Comment by richlv [ 2014 May 21 ] |
(22) once this is finished, let's check that <dimir> It is. CLOSED |
Comment by richlv [ 2014 May 21 ] |
(23) let's figure out whether this also fully solves jelisejev Yes, it does. CLOSED. |
Comment by dimir [ 2014 May 22 ] |
Server side ready for testing. |
Comment by Krists Krigers (Inactive) [ 2014 May 22 ] |
(24) [F] Implement changes from the v1.5 version of the spec. kristsk RESOLVED in r45745. jelisejev CLOSED. |
Comment by Aleksandrs Saveljevs [ 2014 May 22 ] |
(25) [F] If a Web scenario does not have any applications, a "0" is shown is "Application" column in Web scenario list. jelisejev RESOLVED in r45912. asaveljevs CLOSED. |
Comment by Aleksandrs Saveljevs [ 2014 May 23 ] |
(26) [PS] jelisejev says that the server side should not assume that "Headers" field has "\r\n" line endings, similarly to how we do not make such assumption in trigger expressions. Instead, all three options ("\n", "\r\n", and "\r") should be supported. asaveljevs Stylistically, since function "zbx_add_headers" is static, it might make sense to remove "zbx_" prefix. asaveljevs When you work on it, please review my stylistic fixes in r45829. dimir Reviewed, thanks. RESOLVED in r45844. asaveljevs Looks good. Optimized a bit in r45860. CLOSED. |
Comment by Aleksandrs Saveljevs [ 2014 May 23 ] |
(27) [PS] Since the API does not validate "retries" field properly, it can be set to 0. Therefore, in the following code it might be better to use "less than" rather than test for equality: /* try to retrieve page several times depending on number of retries */ do { memset(&page, 0, sizeof(page)); if (CURLE_OK == (err = curl_easy_perform(easyhandle))) break; } while (0 != --httptest->httptest.retries); On the other hand, it would not help if a user would set the number of retries to 2000000000. So fixing this on the server side is optional. dimir Basically I agree that this is better but what I don't like is that still if user sets it to "0" the step gets executed. I think the best would be to change it as you suggested and disallow value less than 1. dimir Let's still fix the server side the way you suggested. RESOLVED in r45845. asaveljevs CLOSED. |
Comment by Rune Myrhaug [ 2014 May 23 ] |
Hi. First of all I will say that I look forward to this improvement. Then I see that it´s probably too late to comment on this topic to get even more features |
Comment by richlv [ 2014 May 24 ] |
for the record, zabbix proxies may run web monitoring |
Comment by Aleksandrs Saveljevs [ 2014 May 27 ] |
(28) [PS] We have three places where a user agent can be defined:
Headers correctly override the scenario setting. However, if there is a "User-Agent" header on the scenario level and a "User-Agent" header on the step level, then both are sent. According to http://stackoverflow.com/questions/3096888/standard-for-adding-multiple-values-of-a-single-http-header-to-a-request-or-resp and http://stackoverflow.com/questions/4371328/are-duplicate-http-response-headers-acceptable , this is not legal. dimir RESOLVED in r45950, r45951, r45952 asaveljevs CLOSED. |
Comment by Aleksandrs Saveljevs [ 2014 May 27 ] |
(29) [FPS] If retrieve mode is set to "Retrieve only headers", then a HEAD request is sent. In that case, "Post" field, similarly to "Required string", does not seem to make a lot of sense and should be disabled. jelisejev RESOLVED in r45911. Please document explicitly, that when retrieving only page headers, a HEAD request will be performed instead of GET or POST. asaveljevs CLOSED. |
Comment by Aleksandrs Saveljevs [ 2014 May 27 ] |
(30) [I] I have shortened configuration parameter descriptions in r45898, in a way analogous to SSHKeyLocation. dimir, your descriptions were great, but it seems to me such verbose descriptions belong more to the Web documentation. dimir I agree, CLOSED |
Comment by Aleksandrs Saveljevs [ 2014 May 27 ] |
(31) [PS] It seems that setting SSLCALocation is now mandatory, which is not good. If SSLCALocation is not set, it would be great to let cURL library use the system default location, as it currently does. dimir I agree, but this is according to docs. That's why we have defaults. asaveljevs Just to clarify: in this case, a default value of SSLCALocation=${datadir}/zabbix/ssl/ca hurts, because there is nothing in that directory (in fact, it does not even exist in the default installation). So "Validate peer" will not work until this parameter in server configuration file is set to the system-wide CA directory. If a user never needs custom CA, this seems suboptimal. asaveljevs By the way, a user might wish to specify several directories, because she is likely to want both standard CAs and custom CAs. dimir Good point, I was also thinking about it but let's leave it for the future. So, after discussion we decided that by default SSLCALocation will be empty in which case CURLOPT_CAPATH will not be set which means curl should use system CA location. dimir RESOLVED in r45946, r45947. asaveljevs I have replaced "If empty ..." with "If not set ..." in r45964, because an empty location is invalid. CLOSED. |
Comment by Aleksandrs Saveljevs [ 2014 May 29 ] |
(32) Documentation for CURLOPT_CAPATH (http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTCAPATH) says that it is only supported for libcurl built with OpenSSL. In Zabbix documentation, it might be proper to document that SSLCALocation only has effect if libcurl was built to use OpenSSL. dimir Fixed here: https://www.zabbix.com/documentation/2.4/manual/appendix/config/zabbix_server RESOLVED martins-v CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 29 ] |
(33) I've updated the branch to the latest trunk in 45976. There were a lot of conflicts in CHttpTest.php, please review. iivs Looks ok. I've made minor changes in r45994. Please review. jelisejev Thanks, CLOSED. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 30 ] |
Available in 2.3.1 r46006. |
Comment by Pavels Jelisejevs (Inactive) [ 2014 May 30 ] |
(34) I've updated the API docs:
martins-v Somewhat expanded by dimir regarding PEM format needed. Reviewed. CLOSED. |
Comment by Jan Garaj [ 2014 May 30 ] |
(35) Hi guys, zabbix_log(LOG_LEVEL_DEBUG, "Used SSL certificate file:'%s'", file_name); zabbix_log(LOG_LEVEL_DEBUG, "Used SSL key file:'%s'", file_name); Thx. dimir Good point. RESOLVED in r46354 asaveljevs CLOSED. |
Comment by Jan Garaj [ 2014 May 31 ] |
(36) Finally it works for me. It'll be fine, if you mention that only PEM certs are allowed for SSL auth, because libcurl. openssl pkcs12 -in ssl-cert.p12 -clcerts -nokeys -out ssl-cert.pem openssl pkcs12 -in ssl-cert.p12 -nocerts -nodes -out ssl-cert.key dimir Another good point. It was mentioned in the specs that we support only PEM, seems we've missed it in the docs. Fixed at https://www.zabbix.com/documentation/2.4/manual/web_monitoring RESOLVED <richlv> changed 'next' to 'the following' - other than that looks good to me, but i'll leave this open for maartinjsh martins-v Reviewed, CLOSED. |
Comment by richlv [ 2014 Jun 10 ] |
(37) user documentation seems to be partially/mostly updated in whatsnew and webmon sections. a few notes :
dimir Fixed at https://www.zabbix.com/documentation/2.4/manual/web_monitoring While at it please check the mentioned in (32) links for the new 3 server and proxy config SSL parameters. RESOLVED martins-v Reviewed. Apparently can be CLOSED. |
Comment by Rogério Fernandes Dias [ 2014 Jul 10 ] |
Hy, When I add a big post in a step scenario, for example, the following: <getRoute> <rs> <RouteStop> <description>Rua Funchal, 129</description> <point> <x>-46.6867705</x> <y>-23.5924345</y> </point> </RouteStop> <RouteStop> <description>Avenida Paulista, 129</description> <point> <x>-46.645769</x> <y>-23.5701859</y> </point> </RouteStop> </rs> <ro> <language>portugues</language> <routeDetails> <descriptionType>0</descriptionType> <routeType>1</routeType> <optimizeRoute>true</optimizeRoute> <poiRoute /> <barriersList /> <barrierPoints /> </routeDetails> <vehicle> <tankCapacity>10</tankCapacity> <averageConsumption>1</averageConsumption> <fuelPrice>3</fuelPrice> <averageSpeed>50</averageSpeed> <tollFeeCat>1</tollFeeCat> </vehicle> </ro> <token>SEU-TOKEN</token> </getRoute> when I save, it seems that the caractheres isn`t in the field, but actually if you check the URL of the step scenario, the post is in the field, could you check, please. |
Comment by richlv [ 2014 Jul 12 ] |
(38) whatsnew barely mentions ssl auth ("This tab holds new options for controlling SSL certificates") - it should explain a bit more and also have a screenshot martins-v The entry in 'what's new' expanded a bit: <richlv> thanks, CLOSED |
Comment by richlv [ 2014 Jul 12 ] |
(39) spec says all 3 new parameters are mandatory, in the config file SSLCALocation is listed as a not mandatory one martins-v Or is it that all 3 are listed as not mandatory? <richlv> well, duh - indeed, config file completely contradicts the spec <dimir> Fixed in the spec. The parameters are all optional. CLOSED |
Comment by richlv [ 2014 Jul 12 ] |
(40)
i'd suggest to be a bit more specific that this param overrides systemwide certs. maybe : Override the location of certificate authority (CA) files for SSL server certificate verification. ? <dimir> Changed as you suggested:
### Option: SSLCALocation
# Override the location of certificate authority (CA) files for SSL server certificate verification.
# If not set, system-wide directory will be used.
# This parameter is used only in Web monitoring.
#
# Mandatory: no
# Default:
# SSLCALocation=
RESOLVED in r48266 wiper CLOSED |
Comment by richlv [ 2014 Jul 13 ] |
(41) for me, "verify host" option only works if "verify peer" is enabled. <dimir> Yes, I successfully tested host verification without peer verification. The error message is weird though: SSL peer certificate or SSH remote key was not OK But it comes straight from libcurl. CLOSED <richlv> could you please clarify which ssl library your libcurl is built against ? REOPENED <dimir> Yes, I could use the host verification feature in both cases with enabled and disabled peer verification. The error message I get when subject of my server cert does not match host I'm monitoring is: SSL peer certificate or SSH remote key was not OK: SSL: certificate subject name 'foo' does not match target host name 'bar'
$ dpkg -l '*curl*-dev' | grep ^ii
ii libcurl4-openssl-dev 7.26.0-1+wheezy9 (OpenSSL flavour)
RESOLVED <richlv> thanks, CLOSED |
Comment by richlv [ 2014 Jul 13 ] |
(42) let's document that "Zabbix server picks up changes in certificates without a restart" or similar (but please doublecheck that, maybe i missed something in my tests) <dimir> That's right. Added notes (see 2 last notes below the table): https://www.zabbix.com/documentation/2.4/manual/web_monitoring#configuring_authentication RESOLVED <richlv> thanks - i removed "for the record" as it did not seem to provide that much useful info. unless there are any objections, CLOSED |
Comment by richlv [ 2014 Jul 13 ] |
(43) i couldn't spot in the manual any info that by default systemwide certs are used and that overriding is possible with the server config param SSLCALocation <dimir> Added information about CURLOPT_*, SSLCALocation, SSLCertLocation and SSLKeyLocation, User-Agent example: https://www.zabbix.com/documentation/2.4/manual/web_monitoring#configuring_authentication RESOLVED <richlv> looking really good, a few more changes to review :
<dimir> Objection about the ordering. I had the macros exactly that way before I realized the ordering is screwed. I really like more when the macros are just befor the note about the version the feature appears in. Because noting the curl option and describing the feature look so connected to me. <dimir> Added few more things:
Please close if satisfied. <richlv> thanks for curlopt links. minor grammar/style/formatting updates, CLOSED |
Comment by richlv [ 2014 Jul 13 ] |
(44) frontend strips leading/trailing spaces from "SSL key password" - that's a perfectly valid password, we should leave spaces as-is kristsk RESOLVED in r47537. oleg.egorov CLOSED |
Comment by richlv [ 2014 Jul 13 ] |
(45) frontend disallows to save scenario with empty key file and non-empty password : it also looks like server does not handle this properly, if my direct db editing was correct New strings:
Removed strings:
[F] RESOLVED in r47542. oleg.egorov CLOSED <richlv> was server side really tested and found to be working properly ? if so, why was it not mentioned here ? <dimir> REOPENED. Additionally, in the error message the "for web scenario..." looks redundant to me. I'd simply go with "SSL key file or password specified without SSL certificate file" Testing the server side now. <dimir> Yes, it works just with the certificate file, containing the key. For the record, I have spent quite some time trying to figure out how to combine certificate and private key with openssl but the solution appeared to be ridiculously simple: cat client.crt client.key > client.pem CLOSED <richlv> as discussed on irc... server does not seem to work properly with certificate & key in the same file if the key is password-protected. <dimir> That's right, this wasn't implemented. Added information about using client certificate file combined with private key: https://www.zabbix.com/documentation/2.4/manual/web_monitoring#configuring_authentication RESOLVED in r48305 wiper CLOSED |
Comment by richlv [ 2014 Jul 16 ] |
(46) spec says "Also maximum size of URL will be increased to 2048 characters." martins-v Added to:
RESOLVED. <richlv> thanks, CLOSED |
Comment by richlv [ 2014 Jul 16 ] |
(47) frontend disallows to save scenario w/o certificate but with key password - that seems to be valid, but the spec does not mention such a check kristsk Updated specification https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-282#Web_scenario. RESOLVED. <richlv> looks good to me, thanks. CLOSED |
Comment by richlv [ 2014 Jul 16 ] |
(48) authentication tab is highly confusing. as a simple solution i'd propose : jelisejev 2) How about we just add some space between the password and verify host checkbox rows? <richlv> that does not give a visual cue that input fields are controlled by the dropdown, just that they might be somehow related. kristsk Fixed to the best of my understanding. RESOLVED in r47566. oleg.egorov CLOSED |
Comment by Krists Krigers (Inactive) [ 2014 Jul 24 ] |
[F] RESOLVED. |
Comment by Oleg Egorov (Inactive) [ 2014 Jul 29 ] |
(49) [F] Coding style:
Remove comment and use var httpFieldsDisabled = $(this).val() == <?php echo HTTPTEST_AUTH_NONE; ?>;
kristsk RESOLVED in r47709. oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Jul 30 ] |
(50) [F] SSL key file or password specified without SSL certificate file in web scenario "1$s". Incorrect name: 1$s kristsk RESOLVED in r47711. Updated changed translation strings comment. oleg.egorov CLOSED |
Comment by Oleg Egorov (Inactive) [ 2014 Aug 01 ] |
[F] TESTED |
Comment by richlv [ 2014 Aug 16 ] |
for the record, minor capitalisation fix in r48147. |
Comment by dimir [ 2014 Aug 21 ] |
(51) [PS] Enable more verbosity in the error message when curl fails to connect. I have found an interesting case today, libcurl acts differently when it's compiled against OpenSSL and GNU TLS. I wasn't able to make it use client certificate and encrypted private key without server certificate verification. Weird, with libcurl compiled against GNU TLS you get an error: error reading X.509 key or certificate file . And this goes away if you switch to libcurl with OpenSSL flavour. On a Debian-based system you need to change from libcurl4-gnutls-dev to libcurl4-openssl-dev. Enabling verbosity helped in this case thus I propose to add this patch, r48295. Besides, this patch sets CAPATH only if we want to verify peer. This was mentioned in the docs: http://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html Enabling more details in error message involves using some curl constants (CURLOPT_ERRORBUFFER, CURL_ERROR_SIZE), I have checked curl version we require (7.13.1) and it contains those. RESOLVED in r48295 asaveljevs Note that client certificates working only with OpenSSL was mentioned in (32) and we already have a documentation note about it. wiper CLOSED, please review small changes in r48510 |
Comment by dimir [ 2014 Aug 28 ] |
Additional fixes (allow specifying client private key password when private key is in the same file as client certificate) available in 2.3.4 (trunk) r48523. |
Comment by bunkzilla [ 2018 Aug 21 ] |
I'm seeing that headers have been implemented, but the Host one doesn't seem to work properly. When I try setting the Host header, the check is executed against that URL instead of the one defined in the steps.
|
Comment by bunkzilla [ 2018 Aug 21 ] |
ran more debugging, it was the second step in the scenario that was failing. |