1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

Monit using HTTP for check which has protocol set as HTTPS

Issue #357 closed
justin hyland created an issue

I'm trying to monitor a VHost on the local Apache instance via Monit. The same domain accepts both http and https traffic, so I wanted to monitor both.

The main problem I seem to be running into, is even though I configure Monit to monitor the host via both http and https protocols, it monitors both hosts via just http, however the port is set to 8443 for the one I need using https protocol.

Note: HTTP uses 880 and HTTPS uses 8443

The Monit config file for Apache is:

check process httpd with pidfile /var/run/httpd/httpd.pid
    start program = "/bin/systemctl restart httpd.service" with timeout 60 seconds
    stop program  = "/bin/systemctl stop httpd.service"

check host localhost with address localhost
    if failed
        port 880
        protocol http
        with http headers [Host: www.domain.com, Cache-Control: no-cache]
        and request / with content = "www.domain.com"
            then restart
    if failed
        port 8443
        protocol https
        with http headers [Host: www.domain.com, Cache-Control: no-cache]
        and request / with content = "www.domain.com"
            then restart
    if 5 restarts within 5 cycles
        then timeout

And here's the Monit status for that check:

[root@server enabled-monitors]# monit status localhost
The Monit daemon 5.14 uptime: 14m

Remote Host 'localhost'
  status                            Connection failed
  monitoring status                 Monitored
  port response time                FAILED to [localhost]:8443/ type TCPSSL/IP protocol HTTP
  port response time                0.001s to [localhost]:880/ type TCP/IP protocol HTTP
  data collected                    Tue, 26 Apr 2016 10:44:32

So it's fairly obvious to me that the https is failing because its still trying to use port HTTP, even though I have protocol https in the configuration.

Any input would be much appreciated. I have a feeling this may be a bug, and ill create an issue in the Monit Github repo, but I wan't to make sure it's not something silly that I overlooked.

Thanks!

P.S. If this turns out not being a bug, then I apologize, I did create a few S/O threads (in different S/O websites), and there's been no responses at all after 2 days, and I kinda need this working now

P.S.S. The server get the traffic through HAProxy, and I want to test the VHost directly on the local Apache instance. So thats why I'm having it check localhost, and setting the Host header to the vhost domain. Which seems to work with curl, but could that be part of it? I wouldnt think so, I think its just using the wrong protocol, since in the monit status output, it says FAILED to [www.domain.com]:8443/ type TCPSSL/IP protocol HTTP (I would think it should say HTTP**S on the end)

I really hope that's not the issue, since YUM only has version 5.14, and the SSL options were added per the Monit changelog, the SSL options (which include the ability to disable verification) was added at v5.15

If it is due to the request going to localhost, thus breaking the SSL cert verification, I think version 5.15 would allow me to override that.. I see I can download the repo code for v5.15 and manually compile/install it, but is there an RPM somewhere? I need to automate this installation and everything.

Comments (8)

  4. justin hyland reporter

    I followed the steps here to get monit 5.15 setup, and I got it installed. So now im trying to override the SSL verification, but I also need to set the HTTP headers. Im not sure what the syntax is for two with statements for one protocol, I dont see it in the documentation (may have overlooked it)

    I tried all of the following:

    # with ssl; with headers
check host localhost with address www.domain.com
    if failed
        port 8443
        protocol https
        with ssl options {verify: disable}
        with http headers [Host: www.domain.com, Cache-Control: no-cache]
        and request / with content = "www.domain.com"
            then restart

# with ssl; headers 
check host localhost with address www.domain.com
    if failed
        port 8443
        protocol https
        with ssl options {verify: disable}
        http headers [Host: www.domain.com, Cache-Control: no-cache]
        and request / with content = "www.domain.com"
            then restart

# with ssl; and headers
check host localhost with address www.domain.com
    if failed
        port 8443
        protocol https
        with ssl options {verify: disable}
        and  http headers [Host: www.domain.com, Cache-Control: no-cache]
        and request / with content = "www.domain.com"
            then restart

# with ssl and with headers
check host localhost with address www.domain.com
    if failed
        port 8443
        protocol https
        with ssl options {verify: disable}
        and with http headers [Host: www.domain.com, Cache-Control: no-cache]
        and request / with content = "www.domain.com"
            then restart

    They all throw the error

    /etc/monit.d/enabled-monitors/httpd.cfg:17: syntax error 'http headers ' However when I try without the with ssl options {verify: disable} line, and specify just with http headers [Host: www.domain.com, Cache-Control: no-cache], I get no syntax errors, and vice versa

  5. Tildeslash repo owner

    The log:

      port response time                FAILED to [localhost]:8443/ type TCPSSL/IP protocol HTTP
  port response time                0.001s to [localhost]:880/ type TCP/IP protocol HTTP

    is correct based on your config. In the first line, 'TCPSSL' means the connection is over SSL. It could be more helpful if it said protocol HTTPS to make this clearer. So your config seems fine. To figure out why https fails, run Monit in verbose mode so it print output to the console monit -Iv. This is most likely a configure issue, such as an old openssl library or you need to use the new with ssl options {verify: disable; selfsigned: allow}. Something like this

          if failed
         port 443
         protocol https
         and request / with content = "www.domain.com"
         with ssl options {verify: disable; selfsigned: allow}
      then alert

    I'm closing this issue as this issue tracker is reserved for bug reports and incidents and not for support. It it turns out to be a bug, feel free to open this issue again.

  6. justin hyland reporter

    Ok, can you help me out with the syntax then?

    check host localhost with address www.domain.com
    if failed
        port 8443
        protocol https
        with ssl options {verify: disable}
        with http headers [Host: www.domain.com, Cache-Control: no-cache]
        and request / with content = "www.domain.com"
            then restart

    Im trying to configure the ssl options and the http headers, but it throws an error if they're both in there, but either one by itself works.

    I tried with/with; with/and with; and a few others (in my comment above)

    thanks!

  7. Tildeslash repo owner 
    check host localhost with address www.domain.com
    if failed
        port 8443
        protocol https
             with http headers [Host: www.domain.com, Cache-Control: no-cache]
             and request / with content = "www.domain.com"
        ssl options {verify: disable, selfsigned:allow}
    then restart

    Indented statements which belongs together. ssl options is not part of the protocol https... statement, but is a standalone statement. Hopefully clearer if you look at the protocol http statement in the manual here

  9. Log in to comment
Assignee
Type
bug
Priority
minor
Status
closed
Component
Monit
Version
Votes
0
Watchers
1