*** plugins/check_http.c.orig	2010-03-18 15:05:53.000000000 -0400
--- plugins/check_http.c	2010-03-23 14:26:48.000000000 -0400
***************
*** 121,126 ****
--- 121,127 ----
  char *http_post_data;
  char *http_content_type;
  char buffer[MAX_INPUT_BUFFER];
+ int http_connect = FALSE;
  
  int process_arguments (int, char **);
  int check_http (void);
***************
*** 186,191 ****
--- 187,193 ----
      {"link", no_argument, 0, 'L'},
      {"nohtml", no_argument, 0, 'n'},
      {"ssl", no_argument, 0, 'S'},
+     {"http-connect", no_argument, 0, 'K'},
      {"post", required_argument, 0, 'P'},
      {"method", required_argument, 0, 'j'},
      {"IP-address", required_argument, 0, 'I'},
***************
*** 229,235 ****
    }
  
    while (1) {
!     c = getopt_long (argc, argv, "Vvh46t:c:w:A:k:H:P:j:T:I:a:e:p:s:R:r:u:f:C:nlLSm:M:N", longopts, &option);
      if (c == -1 || c == EOF)
        break;
  
--- 231,237 ----
    }
  
    while (1) {
!     c = getopt_long (argc, argv, "Vvh46Kt:c:w:A:k:H:P:j:T:I:a:e:p:s:R:r:u:f:C:nlLSm:M:N", longopts, &option);
      if (c == -1 || c == EOF)
        break;
  
***************
*** 401,406 ****
--- 403,411 ----
        usage4 (_("IPv6 support not available"));
  #endif
        break;
+     case 'K': /* use http-connect */
+       http_connect = TRUE;
+       break;
      case 'v': /* verbose */
        verbose = TRUE;
        break;
***************
*** 790,795 ****
--- 795,807 ----
      die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open TCP socket\n"));
  #ifdef HAVE_SSL
    if (use_ssl == TRUE) {
+ 
+     if (http_connect == TRUE) {
+       /* only using port 443 */
+       if (http_connect_through_proxy(host_name, 443, user_agent, sd) != STATE_OK)
+ 	die (STATE_CRITICAL, _("HTTP CRITICAL - Unable to open proxy tunnel TCP socket\n"));
+     }
+ 
      np_net_ssl_init_with_hostname(sd, host_name);
      if (check_cert == TRUE) {
        result = np_net_ssl_check_cert(days_till_exp);
***************
*** 1234,1239 ****
--- 1246,1290 ----
  }
  
  
+ 
+ /* start the HTTP CONNECT method exchange with a proxy host */
+ int
+ http_connect_through_proxy (char *host_name, int port, char *user_agent, int sd)
+ {
+   int result;
+   char *send_buffer=NULL;
+   char recv_buffer[MAX_INPUT_BUFFER];
+   char *status_line;
+   char *status_code;
+   int http_status;
+ 
+   asprintf( &send_buffer, "CONNECT %s:%d HTTP/1.0\r\nUser-agent: %s\r\n\r\n", host_name, port, user_agent);
+ 
+   result = STATE_OK;
+   result = send_tcp_request (sd, send_buffer, recv_buffer, sizeof(recv_buffer));
+   if (result != STATE_OK)
+     return result;
+ 
+   status_line = recv_buffer;
+   status_line[strcspn(status_line, "\r\n")] = 0;
+   strip (status_line);
+   if (verbose)
+     printf ("HTTP_CONNECT STATUS: %s\n", status_line);
+ 
+   status_code = strchr (status_line, ' ') + sizeof (char);
+   if (strspn (status_code, "1234567890") != 3)
+     die (STATE_CRITICAL, _("HTTP CRITICAL: HTTP_CONNECT Returns Invalid Status Line (%s)\n"), status_line);
+ 
+   http_status = atoi (status_code);
+ 
+   if (http_status != 200) {
+     die (STATE_CRITICAL, _("HTTP CRITICAL: Invalid HTTP Connect Proxy Status (%s)\n"), status_line);
+   }
+ 
+   return STATE_OK;
+ }
+ 
+ 
  int
  server_type_check (const char *type)
  {
***************
*** 1308,1313 ****
--- 1359,1368 ----
  #ifdef HAVE_SSL
    printf (" %s\n", "-S, --ssl");
    printf ("   %s\n", _("Connect via SSL. Port defaults to 443"));
+   printf (" %s\n", "-K, --http-connect");
+   printf ("   %s\n", _("Connect to a proxy using the HTTP CONNECT protocol (SSL tunnel)."));
+   printf ("   %s\n", _("Requires -S option.  Will only connect to host through tunnel"));
+   printf ("   %s\n", _("on port 443."));
    printf (" %s\n", "-C, --certificate=INTEGER");
    printf ("   %s\n", _("Minimum number of days a certificate has to be valid. Port defaults to 443"));
    printf ("   %s\n", _("(when this option is used the URL is not checked.)\n"));
***************
*** 1406,1412 ****
  {
    printf (_("Usage:"));
    printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
!   printf ("       [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L]\n");
    printf ("       [-a auth] [-f <ok | warn | critcal | follow | sticky | stickyport>]\n");
    printf ("       [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
    printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");
--- 1461,1467 ----
  {
    printf (_("Usage:"));
    printf (" %s -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]\n",progname);
!   printf ("       [-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-K]\n");
    printf ("       [-a auth] [-f <ok | warn | critcal | follow | sticky | stickyport>]\n");
    printf ("       [-e <expect>] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]\n");
    printf ("       [-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]\n");