How to Monitor HTTPS Website Status Codes with Nagios Including Authentication Checks


2 views

When monitoring secured websites, the standard check_http plugin often falls short because:

  • It doesn't properly handle authentication flows
  • HTTP 3xx redirects can mask underlying issues
  • Session cookies and CSRF tokens break simple checks

For proper authentication checks, consider these approaches:

1. Custom cURL-based Script

Create a wrapper script using cURL that handles the full login flow:


#!/bin/bash
# nagios-https-auth-check.sh

RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
  --cookie-jar /tmp/cookies.txt \
  --data "username=$1&password=$2" \
  https://example.com/login)

if [[ "$RESPONSE" == "200" ]]; then
  echo "OK: Successful login"
  exit 0
else
  echo "CRITICAL: Login failed (HTTP $RESPONSE)"
  exit 2
fi

2. Using check_http with Auth Parameters

The standard plugin can handle basic auth:


define command {
    command_name    check_https_auth
    command_line    $USER1$/check_http -H $HOSTADDRESS$ -S -u "/secure-page" -a "$ARG1$:$ARG2$" -e "200"
}

3. Python-based Solution

For complex sites with JavaScript auth:


import requests
from nagiosplugin import Resource, Metric, Result, State

class WebsiteAuthCheck(Resource):
    def __init__(self, url, username, password):
        self.url = url
        self.auth = (username, password)
        
    def probe(self):
        session = requests.Session()
        try:
            r = session.post(f"{self.url}/api/login", auth=self.auth)
            status = r.status_code
            return [Metric('http_status', status, context='http_codes')]
        except Exception as e:
            return [Metric('error', 1, context='errors')]

Testing Form Submissions

Use cURL's form submission capability:


curl -X POST -d @login.json -H "Content-Type: application/json" \
  https://example.com/api/auth --cookie-jar session.txt

Verifying Page Content

Combine status checks with content validation:


check_http -H example.com -S -u "/dashboard" -s "Welcome back"

For your service definition:


define service {
    use                 generic-service
    host_name           website-server
    service_description HTTPS Auth Check
    check_command       check_https_auth!api_user!s3cr3tP@ss
}

When Nagios plugins aren't enough:

  • Prometheus Blackbox Exporter
  • Selenium-based browser checks
  • Puppeteer monitoring scripts

When monitoring secure websites, the standard check_http plugin often falls short because:

  • It treats all 2xx/3xx responses as successful
  • Doesn't handle authentication flows
  • Can't verify post-login page content
# Sample command using check_http with authentication
define command {
    command_name check_https_auth
    command_line /usr/lib/nagios/plugins/check_http -H $HOSTADDRESS$ -S -u /login -a 'user:pass' -e 'HTTP/1.1 200' -s 'Welcome Dashboard'
}

For more complex scenarios, consider these options:

1. Custom Curl-based Script

#!/bin/bash
response=$(curl -s -o /dev/null -w "%{http_code}" \
    --data "username=admin&password=secret" \
    https://example.com/login)
    
if [ "$response" -eq 200 ]; then
    echo "OK: Login successful"
    exit 0
else
    echo "CRITICAL: Login failed ($response)"
    exit 2
fi

2. Using check_http with Session Cookies

define service {
    use                 generic-service
    host_name           web-server
    service_description HTTPS Login Check
    check_command       check_https_auth!example.com!/dashboard -H "Cookie: sessionid=ABC123"
}
  • Store credentials in Nagios resource files ($USERn$ macros)
  • Implement proper certificate verification (-S flag)
  • Combine status code checks with content matching (-s option)
  • Consider using nagios-plugins-extra for advanced scenarios

If you're getting false positives:

# Debug command to see full response:
check_http -H example.com -S -v -a 'user:pass' -u /login

This will show you the actual HTTP conversation including redirects and final status.