summaryrefslogtreecommitdiffstats
path: root/plugins/check_curl.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/check_curl.c')
-rw-r--r--plugins/check_curl.c204
1 files changed, 158 insertions, 46 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index e3e514ff..f63cdea2 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -92,16 +92,16 @@ typedef struct {
92static check_curl_config_wrapper process_arguments(int /*argc*/, char ** /*argv*/); 92static check_curl_config_wrapper process_arguments(int /*argc*/, char ** /*argv*/);
93 93
94static mp_subcheck check_http(check_curl_config /*config*/, check_curl_working_state workingState, 94static mp_subcheck check_http(check_curl_config /*config*/, check_curl_working_state workingState,
95 int redir_depth); 95 long redir_depth);
96 96
97typedef struct { 97typedef struct {
98 int redir_depth; 98 long redir_depth;
99 check_curl_working_state working_state; 99 check_curl_working_state working_state;
100 int error_code; 100 int error_code;
101 check_curl_global_state curl_state; 101 check_curl_global_state curl_state;
102} redir_wrapper; 102} redir_wrapper;
103static redir_wrapper redir(curlhelp_write_curlbuf * /*header_buf*/, check_curl_config /*config*/, 103static redir_wrapper redir(curlhelp_write_curlbuf * /*header_buf*/, check_curl_config /*config*/,
104 int redir_depth, check_curl_working_state working_state); 104 long redir_depth, check_curl_working_state working_state);
105 105
106static void print_help(void); 106static void print_help(void);
107void print_usage(void); 107void print_usage(void);
@@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_
120#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */ 120#endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
121 121
122int main(int argc, char **argv) { 122int main(int argc, char **argv) {
123#ifdef __OpenBSD__
124 /* - rpath is required to read --extra-opts, CA and/or client certs
125 * - wpath is required to write --cookie-jar (possibly given up later)
126 * - inet is required for sockets
127 * - dns is required for name lookups */
128 pledge("stdio rpath wpath inet dns", NULL);
129#endif // __OpenBSD__
130
123 setlocale(LC_ALL, ""); 131 setlocale(LC_ALL, "");
124 bindtextdomain(PACKAGE, LOCALEDIR); 132 bindtextdomain(PACKAGE, LOCALEDIR);
125 textdomain(PACKAGE); 133 textdomain(PACKAGE);
@@ -135,6 +143,15 @@ int main(int argc, char **argv) {
135 143
136 const check_curl_config config = tmp_config.config; 144 const check_curl_config config = tmp_config.config;
137 145
146#ifdef __OpenBSD__
147 if (!config.curl_config.cookie_jar_file) {
148 if (verbose >= 2) {
149 printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n"));
150 }
151 pledge("stdio rpath inet dns", NULL);
152 }
153#endif // __OpenBSD__
154
138 if (config.output_format_is_set) { 155 if (config.output_format_is_set) {
139 mp_set_format(config.output_format); 156 mp_set_format(config.output_format);
140 } 157 }
@@ -198,7 +215,7 @@ CURLcode sslctxfun(CURL *curl, SSL_CTX *sslctx, void *parm) {
198#endif /* HAVE_SSL */ 215#endif /* HAVE_SSL */
199 216
200mp_subcheck check_http(const check_curl_config config, check_curl_working_state workingState, 217mp_subcheck check_http(const check_curl_config config, check_curl_working_state workingState,
201 int redir_depth) { 218 long redir_depth) {
202 219
203 // ======================= 220 // =======================
204 // Initialisation for curl 221 // Initialisation for curl
@@ -222,10 +239,35 @@ mp_subcheck check_http(const check_curl_config config, check_curl_working_state
222 // ============== 239 // ==============
223 CURLcode res = curl_easy_perform(curl_state.curl); 240 CURLcode res = curl_easy_perform(curl_state.curl);
224 241
242 if (verbose > 1) {
243 printf("* curl_easy_perform returned: %s\n", curl_easy_strerror(res));
244 }
245
225 if (verbose >= 2 && workingState.http_post_data) { 246 if (verbose >= 2 && workingState.http_post_data) {
226 printf("**** REQUEST CONTENT ****\n%s\n", workingState.http_post_data); 247 printf("**** REQUEST CONTENT ****\n%s\n", workingState.http_post_data);
227 } 248 }
228 249
250 // curl_state is updated after curl_easy_perform, and with updated curl_state certificate checks can be done
251 // Check_http tries to check certs as early as possible, and exits with certificate check result by default. Behave similarly.
252#ifdef LIBCURL_FEATURE_SSL
253 if (workingState.use_ssl && config.check_cert) {
254 if (verbose > 1) {
255 printf("* adding a subcheck for the certificate\n");
256 }
257 mp_subcheck sc_certificate = check_curl_certificate_checks(
258 curl_state.curl, cert, config.days_till_exp_warn, config.days_till_exp_crit);
259
260 mp_add_subcheck_to_subcheck(&sc_result, sc_certificate);
261 if (!config.continue_after_check_cert) {
262 if (verbose > 1) {
263 printf("* returning after adding the subcheck for certificate, continuing after "
264 "checking the certificate is turned off\n");
265 }
266 return sc_result;
267 }
268 }
269#endif
270
229 mp_subcheck sc_curl = mp_subcheck_init(); 271 mp_subcheck sc_curl = mp_subcheck_init();
230 272
231 /* Curl errors, result in critical Nagios state */ 273 /* Curl errors, result in critical Nagios state */
@@ -266,18 +308,6 @@ mp_subcheck check_http(const check_curl_config config, check_curl_working_state
266 // Evaluation 308 // Evaluation
267 // ========== 309 // ==========
268 310
269#ifdef LIBCURL_FEATURE_SSL
270 if (workingState.use_ssl && config.check_cert) {
271 mp_subcheck sc_certificate = check_curl_certificate_checks(
272 curl_state.curl, cert, config.days_till_exp_warn, config.days_till_exp_crit);
273
274 mp_add_subcheck_to_subcheck(&sc_result, sc_certificate);
275 if (!config.continue_after_check_cert) {
276 return sc_result;
277 }
278 }
279#endif
280
281 /* we got the data and we executed the request in a given time, so we can append 311 /* we got the data and we executed the request in a given time, so we can append
282 * performance data to the answer always 312 * performance data to the answer always
283 */ 313 */
@@ -441,19 +471,19 @@ mp_subcheck check_http(const check_curl_config config, check_curl_working_state
441 "CURLINFO_REDIRECT_COUNT"); 471 "CURLINFO_REDIRECT_COUNT");
442 472
443 if (verbose >= 2) { 473 if (verbose >= 2) {
444 printf(_("* curl LIBINFO_REDIRECT_COUNT is %d\n"), redir_depth); 474 printf(_("* curl LIBINFO_REDIRECT_COUNT is %ld\n"), redir_depth);
445 } 475 }
446 476
447 mp_subcheck sc_redir_depth = mp_subcheck_init(); 477 mp_subcheck sc_redir_depth = mp_subcheck_init();
448 if (redir_depth > config.max_depth) { 478 if (redir_depth > config.max_depth) {
449 xasprintf(&sc_redir_depth.output, 479 xasprintf(&sc_redir_depth.output,
450 "maximum redirection depth %d exceeded in libcurl", 480 "maximum redirection depth %ld exceeded in libcurl",
451 config.max_depth); 481 config.max_depth);
452 sc_redir_depth = mp_set_subcheck_state(sc_redir_depth, STATE_CRITICAL); 482 sc_redir_depth = mp_set_subcheck_state(sc_redir_depth, STATE_CRITICAL);
453 mp_add_subcheck_to_subcheck(&sc_result, sc_redir_depth); 483 mp_add_subcheck_to_subcheck(&sc_result, sc_redir_depth);
454 return sc_result; 484 return sc_result;
455 } 485 }
456 xasprintf(&sc_redir_depth.output, "redirection depth %d (of a maximum %d)", 486 xasprintf(&sc_redir_depth.output, "redirection depth %ld (of a maximum %ld)",
457 redir_depth, config.max_depth); 487 redir_depth, config.max_depth);
458 mp_add_subcheck_to_subcheck(&sc_result, sc_redir_depth); 488 mp_add_subcheck_to_subcheck(&sc_result, sc_redir_depth);
459 489
@@ -653,7 +683,7 @@ char *uri_string(const UriTextRangeA range, char *buf, size_t buflen) {
653} 683}
654 684
655redir_wrapper redir(curlhelp_write_curlbuf *header_buf, const check_curl_config config, 685redir_wrapper redir(curlhelp_write_curlbuf *header_buf, const check_curl_config config,
656 int redir_depth, check_curl_working_state working_state) { 686 long redir_depth, check_curl_working_state working_state) {
657 curlhelp_statusline status_line; 687 curlhelp_statusline status_line;
658 struct phr_header headers[255]; 688 struct phr_header headers[255];
659 size_t msglen; 689 size_t msglen;
@@ -678,7 +708,7 @@ redir_wrapper redir(curlhelp_write_curlbuf *header_buf, const check_curl_config
678 } 708 }
679 709
680 if (++redir_depth > config.max_depth) { 710 if (++redir_depth > config.max_depth) {
681 die(STATE_WARNING, _("HTTP WARNING - maximum redirection depth %d exceeded - %s\n"), 711 die(STATE_WARNING, _("HTTP WARNING - maximum redirection depth %ld exceeded - %s\n"),
682 config.max_depth, location); 712 config.max_depth, location);
683 } 713 }
684 714
@@ -761,7 +791,7 @@ redir_wrapper redir(curlhelp_write_curlbuf *header_buf, const check_curl_config
761 } 791 }
762 792
763 /* compose new path */ 793 /* compose new path */
764 /* TODO: handle fragments and query part of URL */ 794 /* TODO: handle fragments of URL */
765 char *new_url = (char *)calloc(1, DEFAULT_BUFFER_SIZE); 795 char *new_url = (char *)calloc(1, DEFAULT_BUFFER_SIZE);
766 if (uri.pathHead) { 796 if (uri.pathHead) {
767 for (UriPathSegmentA *pathSegment = uri.pathHead; pathSegment; 797 for (UriPathSegmentA *pathSegment = uri.pathHead; pathSegment;
@@ -772,6 +802,29 @@ redir_wrapper redir(curlhelp_write_curlbuf *header_buf, const check_curl_config
772 } 802 }
773 } 803 }
774 804
805 /* missing components have null,null in their UriTextRangeA
806 * add query parameters if they exist.
807 */
808 if (uri.query.first && uri.query.afterLast) {
809 // Ensure we have space for '?' + query_str + '\0' ahead of time, instead of calling strncat
810 // twice
811 size_t current_len = strlen(new_url);
812 size_t remaining_space = DEFAULT_BUFFER_SIZE - current_len - 1;
813
814 const char *query_str = uri_string(uri.query, buf, DEFAULT_BUFFER_SIZE);
815 size_t query_str_len = strlen(query_str);
816
817 if (remaining_space >= query_str_len + 1) {
818 strcat(new_url, "?");
819 strcat(new_url, query_str);
820 } else {
821 die(STATE_UNKNOWN,
822 _("HTTP UNKNOWN - No space to add query part of size %zu to the buffer, buffer has "
823 "remaining size %zu"),
824 query_str_len, current_len);
825 }
826 }
827
775 if (working_state.serverPort == new_port && 828 if (working_state.serverPort == new_port &&
776 !strncmp(working_state.server_address, new_host, MAX_IPV4_HOSTLENGTH) && 829 !strncmp(working_state.server_address, new_host, MAX_IPV4_HOSTLENGTH) &&
777 (working_state.host_name && 830 (working_state.host_name &&
@@ -834,7 +887,8 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
834 COOKIE_JAR, 887 COOKIE_JAR,
835 HAPROXY_PROTOCOL, 888 HAPROXY_PROTOCOL,
836 STATE_REGEX, 889 STATE_REGEX,
837 OUTPUT_FORMAT 890 OUTPUT_FORMAT,
891 NO_PROXY,
838 }; 892 };
839 893
840 static struct option longopts[] = { 894 static struct option longopts[] = {
@@ -849,6 +903,8 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
849 {"url", required_argument, 0, 'u'}, 903 {"url", required_argument, 0, 'u'},
850 {"port", required_argument, 0, 'p'}, 904 {"port", required_argument, 0, 'p'},
851 {"authorization", required_argument, 0, 'a'}, 905 {"authorization", required_argument, 0, 'a'},
906 {"proxy", required_argument, 0, 'x'},
907 {"noproxy", required_argument, 0, NO_PROXY},
852 {"proxy-authorization", required_argument, 0, 'b'}, 908 {"proxy-authorization", required_argument, 0, 'b'},
853 {"header-string", required_argument, 0, 'd'}, 909 {"header-string", required_argument, 0, 'd'},
854 {"string", required_argument, 0, 's'}, 910 {"string", required_argument, 0, 's'},
@@ -921,7 +977,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
921 977
922 while (true) { 978 while (true) {
923 int option_index = getopt_long( 979 int option_index = getopt_long(
924 argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NEB", 980 argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:x:b:d:e:p:s:R:r:u:f:C:J:K:DnlLS::m:M:NEB",
925 longopts, &option); 981 longopts, &option);
926 if (option_index == -1 || option_index == EOF || option_index == 1) { 982 if (option_index == -1 || option_index == EOF || option_index == 1) {
927 break; 983 break;
@@ -950,7 +1006,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
950 case 'c': /* critical time threshold */ 1006 case 'c': /* critical time threshold */
951 { 1007 {
952 mp_range_parsed critical_range = mp_parse_range_string(optarg); 1008 mp_range_parsed critical_range = mp_parse_range_string(optarg);
953 if (critical_range.error != MP_PARSING_SUCCES) { 1009 if (critical_range.error != MP_PARSING_SUCCESS) {
954 die(STATE_UNKNOWN, "failed to parse critical threshold: %s", optarg); 1010 die(STATE_UNKNOWN, "failed to parse critical threshold: %s", optarg);
955 } 1011 }
956 result.config.thlds = mp_thresholds_set_crit(result.config.thlds, critical_range.range); 1012 result.config.thlds = mp_thresholds_set_crit(result.config.thlds, critical_range.range);
@@ -959,7 +1015,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
959 { 1015 {
960 mp_range_parsed warning_range = mp_parse_range_string(optarg); 1016 mp_range_parsed warning_range = mp_parse_range_string(optarg);
961 1017
962 if (warning_range.error != MP_PARSING_SUCCES) { 1018 if (warning_range.error != MP_PARSING_SUCCESS) {
963 die(STATE_UNKNOWN, "failed to parse warning threshold: %s", optarg); 1019 die(STATE_UNKNOWN, "failed to parse warning threshold: %s", optarg);
964 } 1020 }
965 result.config.thlds = mp_thresholds_set_warn(result.config.thlds, warning_range.range); 1021 result.config.thlds = mp_thresholds_set_warn(result.config.thlds, warning_range.range);
@@ -1009,6 +1065,10 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
1009 strncpy(result.config.curl_config.user_auth, optarg, MAX_INPUT_BUFFER - 1); 1065 strncpy(result.config.curl_config.user_auth, optarg, MAX_INPUT_BUFFER - 1);
1010 result.config.curl_config.user_auth[MAX_INPUT_BUFFER - 1] = 0; 1066 result.config.curl_config.user_auth[MAX_INPUT_BUFFER - 1] = 0;
1011 break; 1067 break;
1068 case 'x': /* proxy info */
1069 strncpy(result.config.curl_config.proxy, optarg, DEFAULT_BUFFER_SIZE - 1);
1070 result.config.curl_config.proxy[DEFAULT_BUFFER_SIZE - 1] = 0;
1071 break;
1012 case 'b': /* proxy-authorization info */ 1072 case 'b': /* proxy-authorization info */
1013 strncpy(result.config.curl_config.proxy_auth, optarg, MAX_INPUT_BUFFER - 1); 1073 strncpy(result.config.curl_config.proxy_auth, optarg, MAX_INPUT_BUFFER - 1);
1014 result.config.curl_config.proxy_auth[MAX_INPUT_BUFFER - 1] = 0; 1074 result.config.curl_config.proxy_auth[MAX_INPUT_BUFFER - 1] = 0;
@@ -1225,7 +1285,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
1225 result.config.curl_config.sin_family = AF_INET; 1285 result.config.curl_config.sin_family = AF_INET;
1226 break; 1286 break;
1227 case '6': 1287 case '6':
1228#if defined(USE_IPV6) && defined(LIBCURL_FEATURE_IPV6) 1288#if defined(LIBCURL_FEATURE_IPV6)
1229 result.config.curl_config.sin_family = AF_INET6; 1289 result.config.curl_config.sin_family = AF_INET6;
1230#else 1290#else
1231 usage4(_("IPv6 support not available")); 1291 usage4(_("IPv6 support not available"));
@@ -1235,7 +1295,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
1235 { 1295 {
1236 mp_range_parsed foo = mp_parse_range_string(optarg); 1296 mp_range_parsed foo = mp_parse_range_string(optarg);
1237 1297
1238 if (foo.error != MP_PARSING_SUCCES) { 1298 if (foo.error != MP_PARSING_SUCCESS) {
1239 die(STATE_CRITICAL, "failed to parse page size limits: %s", optarg); 1299 die(STATE_CRITICAL, "failed to parse page size limits: %s", optarg);
1240 } 1300 }
1241 1301
@@ -1304,6 +1364,10 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
1304 case HAPROXY_PROTOCOL: 1364 case HAPROXY_PROTOCOL:
1305 result.config.curl_config.haproxy_protocol = true; 1365 result.config.curl_config.haproxy_protocol = true;
1306 break; 1366 break;
1367 case NO_PROXY:
1368 strncpy(result.config.curl_config.no_proxy, optarg, DEFAULT_BUFFER_SIZE - 1);
1369 result.config.curl_config.no_proxy[DEFAULT_BUFFER_SIZE - 1] = 0;
1370 break;
1307 case '?': 1371 case '?':
1308 /* print short usage statement if args not parsable */ 1372 /* print short usage statement if args not parsable */
1309 usage5(); 1373 usage5();
@@ -1331,35 +1395,35 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
1331 * parameters, like -S and -C combinations */ 1395 * parameters, like -S and -C combinations */
1332 result.config.curl_config.ssl_version = CURL_SSLVERSION_DEFAULT; 1396 result.config.curl_config.ssl_version = CURL_SSLVERSION_DEFAULT;
1333 if (tls_option_optarg != NULL) { 1397 if (tls_option_optarg != NULL) {
1334 char *plus_ptr = strchr(optarg, '+'); 1398 char *plus_ptr = strchr(tls_option_optarg, '+');
1335 if (plus_ptr) { 1399 if (plus_ptr) {
1336 got_plus = true; 1400 got_plus = true;
1337 *plus_ptr = '\0'; 1401 *plus_ptr = '\0';
1338 } 1402 }
1339 1403
1340 if (optarg[0] == '2') { 1404 if (tls_option_optarg[0] == '2') {
1341 result.config.curl_config.ssl_version = CURL_SSLVERSION_SSLv2; 1405 result.config.curl_config.ssl_version = CURL_SSLVERSION_SSLv2;
1342 } else if (optarg[0] == '3') { 1406 } else if (tls_option_optarg[0] == '3') {
1343 result.config.curl_config.ssl_version = CURL_SSLVERSION_SSLv3; 1407 result.config.curl_config.ssl_version = CURL_SSLVERSION_SSLv3;
1344 } else if (!strcmp(optarg, "1") || !strcmp(optarg, "1.0")) { 1408 } else if (!strcmp(tls_option_optarg, "1") || !strcmp(tls_option_optarg, "1.0")) {
1345#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) 1409#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1346 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_0; 1410 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_0;
1347#else 1411#else
1348 result.config.ssl_version = CURL_SSLVERSION_DEFAULT; 1412 result.config.ssl_version = CURL_SSLVERSION_DEFAULT;
1349#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ 1413#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1350 } else if (!strcmp(optarg, "1.1")) { 1414 } else if (!strcmp(tls_option_optarg, "1.1")) {
1351#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) 1415#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1352 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_1; 1416 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_1;
1353#else 1417#else
1354 result.config.ssl_version = CURL_SSLVERSION_DEFAULT; 1418 result.config.ssl_version = CURL_SSLVERSION_DEFAULT;
1355#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ 1419#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1356 } else if (!strcmp(optarg, "1.2")) { 1420 } else if (!strcmp(tls_option_optarg, "1.2")) {
1357#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) 1421#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0)
1358 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_2; 1422 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_2;
1359#else 1423#else
1360 result.config.ssl_version = CURL_SSLVERSION_DEFAULT; 1424 result.config.ssl_version = CURL_SSLVERSION_DEFAULT;
1361#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */ 1425#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 34, 0) */
1362 } else if (!strcmp(optarg, "1.3")) { 1426 } else if (!strcmp(tls_option_optarg, "1.3")) {
1363#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0) 1427#if LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 52, 0)
1364 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_3; 1428 result.config.curl_config.ssl_version = CURL_SSLVERSION_TLSv1_3;
1365#else 1429#else
@@ -1400,7 +1464,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
1400 } 1464 }
1401#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) */ 1465#endif /* LIBCURL_VERSION_NUM >= MAKE_LIBCURL_VERSION(7, 54, 0) */
1402 if (verbose >= 2) { 1466 if (verbose >= 2) {
1403 printf(_("* Set SSL/TLS version to %d\n"), result.config.curl_config.ssl_version); 1467 printf(_("* Set SSL/TLS version to %ld\n"), result.config.curl_config.ssl_version);
1404 } 1468 }
1405 if (!specify_port) { 1469 if (!specify_port) {
1406 result.config.initial_config.serverPort = HTTPS_PORT; 1470 result.config.initial_config.serverPort = HTTPS_PORT;
@@ -1573,6 +1637,18 @@ void print_help(void) {
1573 printf(" %s\n", "--state-regex=STATE"); 1637 printf(" %s\n", "--state-regex=STATE");
1574 printf(" %s\n", _("Return STATE if regex is found, OK if not. STATE can be one of " 1638 printf(" %s\n", _("Return STATE if regex is found, OK if not. STATE can be one of "
1575 "\"critical\",\"warning\"")); 1639 "\"critical\",\"warning\""));
1640 printf(" %s\n", "-x, --proxy=PROXY_SERVER");
1641 printf(" %s\n", _("Specify the proxy in form of <scheme>://<host(name)>:<port>"));
1642 printf(" %s\n", _("Available schemes are http, https, socks4, socks4a, socks5, socks5h"));
1643 printf(" %s\n", _("If port is not specified, libcurl defaults to 1080"));
1644 printf(" %s\n", _("This value will be set as CURLOPT_PROXY"));
1645 printf(" %s\n", "--noproxy=COMMA_SEPARATED_LIST");
1646 printf(" %s\n", _("Specify hostnames, addresses and subnets where proxy should not be used"));
1647 printf(" %s\n", _("Example usage: \"example.com,::1,1.1.1.1,localhost,192.168.0.0/16\""));
1648 printf(" %s\n", _("Do not use brackets when specifying IPv6 addresses"));
1649 printf(" %s\n", _("Special case when an item is '*' : matches all hosts/addresses "
1650 "and effectively disables proxy."));
1651 printf(" %s\n", _("This value will be set as CURLOPT_NOPROXY"));
1576 printf(" %s\n", "-a, --authorization=AUTH_PAIR"); 1652 printf(" %s\n", "-a, --authorization=AUTH_PAIR");
1577 printf(" %s\n", _("Username:password on sites with basic authentication")); 1653 printf(" %s\n", _("Username:password on sites with basic authentication"));
1578 printf(" %s\n", "-b, --proxy-authorization=AUTH_PAIR"); 1654 printf(" %s\n", "-b, --proxy-authorization=AUTH_PAIR");
@@ -1648,6 +1724,8 @@ void print_help(void) {
1648 printf(" %s\n", _("certificate matches the hostname of the server, or if the certificate")); 1724 printf(" %s\n", _("certificate matches the hostname of the server, or if the certificate"));
1649 printf(" %s\n", _("has a valid chain of trust to one of the locally installed CAs.")); 1725 printf(" %s\n", _("has a valid chain of trust to one of the locally installed CAs."));
1650 printf("\n"); 1726 printf("\n");
1727 printf(" %s\n", _("To also verify certificates, please set --verify-cert."));
1728 printf("\n");
1651 printf("%s\n", _("Examples:")); 1729 printf("%s\n", _("Examples:"));
1652 printf(" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com"); 1730 printf(" %s\n\n", "CHECK CONTENT: check_curl -w 5 -c 10 --ssl -H www.verisign.com");
1653 printf(" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,")); 1731 printf(" %s\n", _("When the 'www.verisign.com' server returns its content within 5 seconds,"));
@@ -1657,16 +1735,18 @@ void print_help(void) {
1657 _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,")); 1735 _("the 5-second threshold, a STATE_WARNING will be returned. When an error occurs,"));
1658 printf(" %s\n", _("a STATE_CRITICAL will be returned.")); 1736 printf(" %s\n", _("a STATE_CRITICAL will be returned."));
1659 printf("\n"); 1737 printf("\n");
1660 printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14"); 1738 printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 14 -D");
1661 printf(" %s\n", 1739 printf(" %s\n",
1662 _("When the certificate of 'www.verisign.com' is valid for more than 14 days,")); 1740 _("When the certificate of 'www.verisign.com' is valid for more than 14 days,"));
1663 printf(" %s\n", 1741 printf(" %s\n",
1664 _("a STATE_OK is returned. When the certificate is still valid, but for less than")); 1742 _("a STATE_OK is returned. When the certificate is still valid, but for less than"));
1665 printf(" %s\n", 1743 printf(" %s\n",
1666 _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when")); 1744 _("14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when"));
1667 printf(" %s\n\n", _("the certificate is expired.")); 1745 printf(" %s\n", _("the certificate is expired."));
1746 printf("\n");
1747 printf(" %s\n", _("The -D flag enforces a certificate validation beyond expiration time."));
1668 printf("\n"); 1748 printf("\n");
1669 printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14"); 1749 printf(" %s\n\n", "CHECK CERTIFICATE: check_curl -H www.verisign.com -C 30,14 -D");
1670 printf(" %s\n", 1750 printf(" %s\n",
1671 _("When the certificate of 'www.verisign.com' is valid for more than 30 days,")); 1751 _("When the certificate of 'www.verisign.com' is valid for more than 30 days,"));
1672 printf(" %s\n", 1752 printf(" %s\n",
@@ -1677,10 +1757,39 @@ void print_help(void) {
1677#endif 1757#endif
1678 1758
1679 printf("\n %s\n", "CHECK WEBSERVER CONTENT VIA PROXY:"); 1759 printf("\n %s\n", "CHECK WEBSERVER CONTENT VIA PROXY:");
1680 printf(" %s\n", _("It is recommended to use an environment proxy like:")); 1760 printf(" %s\n", _("Proxies are specified or disabled for certain hosts/addresses using environment variables"
1681 printf(" %s\n", 1761 " or -x/--proxy and --noproxy arguments:"));
1682 _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org")); 1762 printf(" %s\n", _("Checked environment variables: all_proxy, http_proxy, https_proxy, no_proxy"));
1683 printf(" %s\n", _("legacy proxy requests in check_http style still work:")); 1763 printf(" %s\n", _("Environment variables can also be given in uppercase, but the lowercase ones will "
1764 "take predence if both are defined."));
1765 printf(" %s\n", _("The environment variables are overwritten by -x/--proxy and --noproxy arguments:"));
1766 printf(" %s\n", _("all_proxy/ALL_PROXY environment variables are read first, but protocol "
1767 "specific environment variables override them."));
1768 printf(" %s\n", _("If SSL is enabled and used, https_proxy/HTTPS_PROXY will be checked and overwrite "
1769 "http_proxy/HTTPS_PROXY."));
1770 printf(" %s\n", _("Curl accepts proxies using http, https, socks4, socks4a, socks5 and socks5h schemes."));
1771 printf(" %s\n", _("http_proxy=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org"));
1772 printf(" %s\n", _("http_proxy=http://used.proxy.com HTTP_PROXY=http://ignored.proxy.com ./check_curl -H www.monitoring-plugins.org"));
1773 printf(" %s\n", _(" Lowercase http_proxy takes predence over uppercase HTTP_PROXY"));
1774 printf(" %s\n", _("./check_curl -H www.monitoring-plugins.org -x http://192.168.100.35:3128"));
1775 printf(" %s\n", _("http_proxy=http://unused.proxy1.com HTTP_PROXY=http://unused.proxy2.com ./check_curl "
1776 "-H www.monitoring-plugins.org --proxy http://used.proxy"));
1777 printf(" %s\n", _(" Proxy specified by --proxy overrides any proxy specified by environment variable."));
1778 printf(" %s\n", _(" Curl uses port 1080 by default as port is not specified"));
1779 printf(" %s\n", _("HTTPS_PROXY=http://192.168.100.35:3128 ./check_curl -H www.monitoring-plugins.org --ssl"));
1780 printf(" %s\n", _(" HTTPS_PROXY is read as --ssl is toggled"));
1781 printf(" %s\n", _("./check_curl -H www.monitoring-plugins.org --proxy socks5h://192.168.122.21"));
1782 printf(" %s\n", _("./check_curl -H www.monitoring-plugins.org -x http://unused.proxy.com --noproxy '*'"));
1783 printf(" %s\n", _(" Disabled proxy for all hosts by using '*' in no_proxy ."));
1784 printf(" %s\n", _("NO_PROXY=www.monitoring-plugins.org ./check_curl -H www.monitoring-plugins.org -x http://unused.proxy.com"));
1785 printf(" %s\n", _(" Exact matches with the hostname/address work."));
1786 printf(" %s\n", _("no_proxy=192.168.178.0/24 ./check_curl -I 192.168.178.10 -x http://proxy.acme.org"));
1787 printf(" %s\n", _("no_proxy=acme.org ./check_curl -H nonpublic.internalwebapp.acme.org -x http://proxy.acme.org"));
1788 printf(" %s\n", _(" Do not use proxy when accessing internal domains/addresses, but use a default proxy when accessing public web."));
1789 printf(" %s\n", _(" IMPORTANT: Check_curl can not always determine whether itself or the proxy will "
1790 "resolve a hostname before sending a request and getting an answer."
1791 "This can lead to DNS resolvation issues if hostname is only resolvable over proxy."));
1792 printf(" %s\n", _("Legacy proxy requests in check_http style still work:"));
1684 printf(" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ " 1793 printf(" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u http://www.monitoring-plugins.org/ "
1685 "-H www.monitoring-plugins.org")); 1794 "-H www.monitoring-plugins.org"));
1686 1795
@@ -1689,7 +1798,8 @@ void print_help(void) {
1689 printf(" %s\n", _("It is recommended to use an environment proxy like:")); 1798 printf(" %s\n", _("It is recommended to use an environment proxy like:"));
1690 printf(" %s\n", 1799 printf(" %s\n",
1691 _("https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S")); 1800 _("https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S"));
1692 printf(" %s\n", _("legacy proxy requests in check_http style might still work, but are frowned upon, so DONT:")); 1801 printf(" %s\n", _("legacy proxy requests in check_http style might still work, but are frowned "
1802 "upon, so DONT:"));
1693 printf(" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j " 1803 printf(" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j "
1694 "CONNECT -H www.verisign.com ")); 1804 "CONNECT -H www.verisign.com "));
1695 printf(" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> " 1805 printf(" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> "
@@ -1710,13 +1820,15 @@ void print_usage(void) {
1710 printf(" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n", progname); 1820 printf(" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n", progname);
1711 printf(" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate " 1821 printf(" [-J <client certificate file>] [-K <private key>] [--ca-cert <CA certificate "
1712 "file>] [-D]\n"); 1822 "file>] [-D]\n");
1713 printf(" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-a auth]\n"); 1823 printf(" [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-x <proxy>]\n");
1714 printf(" [-b proxy_auth] [-f <ok|warning|critical|follow|sticky|stickyport|curl>]\n"); 1824 printf(" [-a auth] [-b proxy_auth] [-f "
1825 "<ok|warning|critical|follow|sticky|stickyport|curl>]\n");
1715 printf(" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive " 1826 printf(" [-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive "
1716 "regex>]\n"); 1827 "regex>]\n");
1717 printf(" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n"); 1828 printf(" [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
1718 printf(" [-A string] [-k string] [-S <version>] [--sni] [--haproxy-protocol]\n"); 1829 printf(" [-A string] [-k string] [-S <version>] [--sni] [--haproxy-protocol]\n");
1719 printf(" [-T <content-type>] [-j method]\n"); 1830 printf(" [-T <content-type>] [-j method]\n");
1831 printf(" [--noproxy=<comma separated list of hosts, IP addresses, IP CIDR subnets>\n");
1720 printf(" [--http-version=<version>] [--enable-automatic-decompression]\n"); 1832 printf(" [--http-version=<version>] [--enable-automatic-decompression]\n");
1721 printf(" [--cookie-jar=<cookie jar file>\n"); 1833 printf(" [--cookie-jar=<cookie jar file>\n");
1722 printf(" %s -H <vhost> | -I <IP-address> -C <warn_age>[,<crit_age>]\n", progname); 1834 printf(" %s -H <vhost> | -I <IP-address> -C <warn_age>[,<crit_age>]\n", progname);