Skip to content
Permalink
Browse files

Add support for encrypted livestatus

  • Loading branch information...
LarsMichelsen committed Oct 24, 2019
1 parent b92e201 commit ac5cc90e421443c95ac10dcdfab686e5f56f7ac2
@@ -1,4 +1,9 @@
1.9.16
Core:
* Add support for Encrypted livestatus. You can now configure "tcp-tls:[address]:[port]"
as socket address and control the TLS verification using the new backend specific
settings "verify_tls_peer" and "verify_tls_ca_path".


1.9.15
Core:
@@ -26,7 +26,21 @@ <h1>MKLivestatus backend</h1>
<tr>
<td>socket</td>
<td>unix:/usr/local/nagios/var/rw/live</td>
<td><p>The socket to connect to can be a local unix socket or a tcp socket. You have to define the type at the beginning of the string. Set &quot;unix:&quot; for unix sockets or &quot;tcp:&quot; for tcp sockets.</p> <p>In case of the unix socket you need to specify the path of the livestatus unix socket to connect to.</p> <p>When using a tcp socket you have to enter a host address and a tcp port using the following scheme: &lt;host>:&lt;port>. The host address can be an IP address or an FQDN.</p></td>
<td><p>The socket to connect to can be a local unix socket or a tcp
socket. You have to define the type at the beginning of the string.
Set &quot;unix:&quot; for unix sockets or &quot;tcp:&quot; for tcp
sockets.</p>

<p><font color="#f00">New in 1.9.16</font>:Since Checkmk 1.6.0 it is possible to encrypt the Livestatus
channel using TLS. To connnect to such a channel use &quot;tcp-tls:&quot;.</p>

<p>In case of the unix socket you need to specify the
path of the livestatus unix socket to connect to.</p>

<p>When using a tcp socket you have to enter a host address and a
tcp port using the following scheme: &lt;host>:&lt;port>. The host address can
be an IP address or an FQDN.</p>
</td>
</tr><tr>
<td>timeout</td>
<td>5</td>
@@ -35,6 +49,25 @@ <h1>MKLivestatus backend</h1>
This is just a fallback. To prevent timeouts when accessing remote sites you really should configure a statushost for the backend.
For details take a look at the general backend parameters documented in the <a href="nagvis_config_format_description.html#backend">backend section</a>
of the main configuration format description.</a></td>
</tr><tr>
<td>verify_tls_peer</td>
<td>1</td>
<td>
<font color="#f00">New in 1.9.16</font>: Only relevant when you connect to a Livestatus TLS encrypted socket.
This can be used to turn off the peer certificate verification. In case it is enabled, you will have to
set the <tt>verify_tls_ca_path</tt> option.
</td>
</tr><tr>
<td>verify_tls_ca_path</td>
<td></td>
<td>
<font color="#f00">New in 1.9.16</font>: Configure an absolute
path that points to a CA chain file which is then used to verify the
certificate of the Livestatus TLS server. You can, for example in Checkmk
sites, point it to the, "Trusted certificate authorities file of Checkmk
(/omd/sites/[site-id]/var/ssl/ca-certificates.crt) to use the same trust
configuration in NagVis and Checkmk.
</td>
</tr>
</table>
<p>There are also some general parameters. You can read about them in <a href="nagvis_config_format_description.html#backend">main configuration format description</a>.</p>
@@ -37,6 +37,7 @@
class GlobalBackendmklivestatus implements GlobalBackendInterface {
private $backendId = '';
private $CONNECT_ERR = "";
private $CONNECT_EXC = null;
private $SOCKET = null;
private $socketType = '';
@@ -52,6 +53,19 @@ class GlobalBackendmklivestatus implements GlobalBackendInterface {
'default' => 'unix:/usr/local/nagios/var/rw/live',
'match' => MATCH_SOCKET,
),
'verify_tls_peer' => Array(
'must' => 0,
'editable' => 1,
'default' => 1,
'match' => MATCH_BOOLEAN,
'field_type' => 'boolean',
),
'verify_tls_ca_path' => Array(
'must' => 0,
'editable' => 1,
'default' => '',
'match' => MATCH_STRING_PATH,
),
'timeout' => Array(
'must' => 1,
'editable' => 1,
@@ -118,14 +132,15 @@ private function parseSocket($socket) {
if($type === 'unix') {
$this->socketType = $type;
$this->socketPath = $address;
} elseif($type === 'tcp') {
} elseif($type === 'tcp' || $type === 'tcp-tls') {
$this->socketType = $type;
// Extract address and port
list($address, $port) = explode(':', $address, 2);
$this->socketAddress = $address;
$this->socketPort = $port;
} else {
throw new BackendConnectionProblem(
l('Unknown socket type given in backend [BACKENDID]',
@@ -170,31 +185,75 @@ private function connectSocket() {
if($this->CONNECT_EXC != null)
throw $this->CONNECT_EXC;
set_error_handler(array($this, 'connectErrorHandler'), E_WARNING | E_NOTICE);
// Connect to the socket
// don't want to see the connection error messages - want to handle the
// errors later with an own error message
// FIXME: Maybe use pfsockopen in the future to use persistent connections
if($this->socketType === 'unix') {
$oldLevel = error_reporting(0);
$this->SOCKET = fsockopen('unix://'.$this->socketPath, NULL, $errno, $errstr, (float) cfg('backend_'.$this->backendId, 'timeout'));
error_reporting($oldLevel);
} elseif($this->socketType === 'tcp-tls') {
if (cfg('backend_'.$this->backendId, 'verify_tls_peer') == true) {
$ssl_options = [
'verify_peer' => true,
'verify_peer_name' => false,
'verify_depth' => 1,
];
$ca_path = cfg('backend_'.$this->backendId, 'verify_tls_ca_path');
if ($ca_path)
$ssl_options['cafile'] = $ca_path;
$context = stream_context_create([
'ssl' => $ssl_options
]);
} else {
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false
]
]);
}
$this->SOCKET= stream_socket_client("tls://" . $this->socketAddress . ":" . $this->socketPort, $errno, $errstr,
(float) cfg('backend_'.$this->backendId, 'timeout'), STREAM_CLIENT_CONNECT, $context);
} elseif($this->socketType === 'tcp') {
$oldLevel = error_reporting(0);
$this->SOCKET = fsockopen($this->socketAddress, $this->socketPort, $errno, $errstr, (float) cfg('backend_'.$this->backendId, 'timeout'));
error_reporting($oldLevel);
}
restore_error_handler();
if(!$this->SOCKET) {
if ($errno === 0)
$error_msg = $this->CONNECT_ERR;
else
$error_msg = $errstr;
$this->SOCKET = null;
$this->CONNECT_EXC = new BackendConnectionProblem(
l('Unable to connect to the [SOCKET] in backend [BACKENDID]: [MSG]',
Array('BACKENDID' => $this->backendId,
'SOCKET' => $this->socketPath,
'MSG' => $errstr)));
'MSG' => $error_msg)));
throw $this->CONNECT_EXC;
}
}
/**
* Catch PHP errors occured during connect
*/
public function connectErrorHandler($errno, $errstr) {
if (($errno & E_WARNING) === 0 && ($errno & E_NOTICE) === 0) {
return false; // use default error handler
}
$this->CONNECT_ERR .= $errstr . "\n";
return true;
}
/*private function verifyLivestatusVersion() {
$result = $this->queryLivestatusSingleColumn("GET status\nColumns: livestatus_version\n");
$result[0] = '1.1.7rc1';
@@ -114,7 +114,7 @@
define('MATCH_TEXTBOX_WIDTH', '/^([0-9]+|auto)$/');
define('MATCH_TEXTBOX_HEIGHT', '/^([0-9]+|auto)$/');
define('MATCH_WEATHER_COLORS', '/^(?:[0-9]{1,4}(\.[0-9]{1,2})?:#[0-9a-f]{6},?)+$/');
define('MATCH_SOCKET', '/^(unix:[a-zA-Z0-9\-_.\/]+|tcp:[a-zA-Z0-9.-]+:[0-9]{1,5})$/');
define('MATCH_SOCKET', '/^(unix:[a-zA-Z0-9\-_.\/]+|tcp(-tls)?:[a-zA-Z0-9.-]+:[0-9]{1,5})$/');
define('MATCH_WUI_ADDMODIFY_DO', '/^(add|modify)$/');
?>

0 comments on commit ac5cc90

Please sign in to comment.
You can’t perform that action at this time.