Using check_http to monitor [HAProxy](http://www.haproxy.org/) via SSL on an
URL configured via monitor-uri (that is, [HAProxy](http://www.haproxy.org/)
is handling the HTTP request itself without forwarding it to the backend) is
currently not possible, as check_http dies with an `EPIPE` before returning
any output:
write(3, "\25\3\1\0
\256\235\31\353\0\276\347\361\367e\221\323:3\336\302I\257\2232\270\307c\256\357\270\346"...,
37) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=16924, si_uid=57000}
---
+++ killed by SIGPIPE +++
This is due to the fact that [HAProxy](http://www.haproxy.org/) immediately
closes the monitoring connection after the response, without waiting for any
SSL shutdown. Unfortunately (in this case) `SSL_shutdown()` tries to send a
SSL shutdown message on a connection which does not exist anymore,
triggering the EPIPE.
The only workaround for that issue so far is disabling `SIGPIPE` before
`SSL_shutdown()`, as I found no way to check the socket state without
writing to it:
--- monitoring-plugins-2.1.2/plugins/sslutils.c.orig 2015-10-16
11:06:18.000000000 +0200
+++ monitoring-plugins-2.1.2/plugins/sslutils.c 2016-05-20
15:55:39.915793381 +0200
@@ -127,7 +127,10 @@ void np_net_ssl_cleanup() {
#ifdef SSL_set_tlsext_host_name
SSL_set_tlsext_host_name(s, NULL);
#endif
+ /* XXX: Ignore SIGPIPE or SSL_shutdown() will EPIPE on
dropped connections */
+ (void) signal (SIGPIPE, SIG_IGN);
SSL_shutdown(s);
+ (void) signal (SIGPIPE, SIG_DFL);
SSL_free(s);
if (c) {
SSL_CTX_free(c);
Please consider this fix for inclusion.
---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/monitoring-plugins/monitoring-plugins/issues/1419
