Override IP address in http_response #7598

nicolas17 · 2020-05-29T00:59:18Z

Feature Request

Proposal:

Add a config setting to the http_response input plugin to override the IP address, to use instead of the resolved hostname. Alternatively, add a way to override the hostname when giving an IP address to urls.

Current behavior:

If I set urls=["http://somehostname/"], telegraf will resolve that hostname in DNS and connect to that IP address. If there are multiple IP addresses, I guess it connects to an arbitrary one. I can't work around it with urls=["http://192.0.2.42/"] and overriding inputs.http_response.headers.Host, because then it would fail to verify SSL. Even with insecure_skip_verify it would fail because it wouldn't send the correct hostname in SNI.

Desired behavior:

A new config setting lets me change the IP address the plugin connects to, so I can use the hostname in the URL but connect to another IP.

Alternatively, a new config setting lets me change the hostname used in the Host: header, the SSL SNI, and the SSL certificate verification, so I can use the IP address in the URL but everything else still behaves as if the URL had the hostname.

In either case, both the hostname and the IP address should be somewhere in the resulting tags, so that requests to same hostname but different IP, or viceversa, can be distinguished later.

Use case:

A hostname may point to multiple IP addresses corresponding to different servers. Or it may have both IPv4 and IPv6. Or it may use geodns to return a single IP out of multiple depending on the source's location, and a telegraf instance would always get the same one.

I want to send a request to all IP addresses individually, and collect the response_time for each, so I can know if there is a failure or increased latency for only one server, or for only IPv6.

The text was updated successfully, but these errors were encountered:

danielnelson · 2020-06-01T20:42:26Z

It looks like this is possible today by setting the Host header:

[[inputs.http_response]]
  urls = ["http://127.0.0.1:9999/debug"]
  [inputs.http_response.headers]
    Host = "github.com"

I haven't tested with a TLS certificate, is this where the issue appears?

For the tags, you can add them manually:

  [inputs.http_response.tags]
    http_host = "github.com"

antifuchs · 2020-07-24T04:58:40Z

I just tried this (correcting the .tags to .headers) and unfortunately, this doesn't work for SNI: The Host header gets sent way after the client has indicated to the server's TLS stack which hostname it wishes to speak to (and it looks like telegraf takes the SNI hostname from the URL).

I think what would be really neat here is a list of IP addresses to send the configured requests to: That way, you could monitor a set of redundant load balancers directly for whether they're able to respond to the configured SNI hostnames.

Add a new configration field `sni_server_name` that allows specifying the server name that'll be sent in the ClientHello when telegraf makes an HTTP request to TLS servers. This allows checking against load balancers responding to specific hostnames that otherwise wouldn't resolve to their addresses. Fixes influxdata#7598.

antifuchs · 2020-07-25T18:45:18Z

I submitted a PR for this, #7897; I hope you can weigh in and check if that fits your use case as well, @nicolas17!

Add a new configration field `tls_server_name` that allows specifying the server name that'll be sent in the ClientHello when telegraf makes a request to TLS servers. This allows checking against load balancers responding to specific hostnames that otherwise wouldn't resolve to their addresses. Add the setting to the documentation of common TLS options, as well as to the http_response plugin. Fixes influxdata#7598.

* tls_config: Allow specifying SNI hostnames Add a new configration field `tls_server_name` that allows specifying the server name that'll be sent in the ClientHello when telegraf makes a request to TLS servers. This allows checking against load balancers responding to specific hostnames that otherwise wouldn't resolve to their addresses. Add the setting to the documentation of common TLS options, as well as to the http_response plugin. Fixes #7598. * Adjust the x509_cert to allow usage of tls_server_name This plugin has been using ServerName previously, and will have to deal with the new setting, too: Extract the server-name choosing into a method & add a test to ensure we choose the right value (and error under the right circumstances). Also document that the two settings are mutually exclusive. * Improve documentation on what we try to accomplish in the nil return Also get rid of the TODO, as I am fairly certain this behavior is the correct one. * Remove unused struct field in tests

* tls_config: Allow specifying SNI hostnames Add a new configration field `tls_server_name` that allows specifying the server name that'll be sent in the ClientHello when telegraf makes a request to TLS servers. This allows checking against load balancers responding to specific hostnames that otherwise wouldn't resolve to their addresses. Add the setting to the documentation of common TLS options, as well as to the http_response plugin. Fixes #7598. * Adjust the x509_cert to allow usage of tls_server_name This plugin has been using ServerName previously, and will have to deal with the new setting, too: Extract the server-name choosing into a method & add a test to ensure we choose the right value (and error under the right circumstances). Also document that the two settings are mutually exclusive. * Improve documentation on what we try to accomplish in the nil return Also get rid of the TODO, as I am fairly certain this behavior is the correct one. * Remove unused struct field in tests (cherry picked from commit 3c9c013)

* tls_config: Allow specifying SNI hostnames Add a new configration field `tls_server_name` that allows specifying the server name that'll be sent in the ClientHello when telegraf makes a request to TLS servers. This allows checking against load balancers responding to specific hostnames that otherwise wouldn't resolve to their addresses. Add the setting to the documentation of common TLS options, as well as to the http_response plugin. Fixes influxdata#7598. * Adjust the x509_cert to allow usage of tls_server_name This plugin has been using ServerName previously, and will have to deal with the new setting, too: Extract the server-name choosing into a method & add a test to ensure we choose the right value (and error under the right circumstances). Also document that the two settings are mutually exclusive. * Improve documentation on what we try to accomplish in the nil return Also get rid of the TODO, as I am fairly certain this behavior is the correct one. * Remove unused struct field in tests

danielnelson added feature request Requests for new plugin and for new features to existing plugins need more info labels Jun 1, 2020

antifuchs mentioned this issue Jul 25, 2020

common/tls: Allow specifying SNI hostnames #7897

Merged

3 tasks

sspaink closed this as completed in #7897 Dec 23, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Override IP address in http_response #7598

Override IP address in http_response #7598

nicolas17 commented May 29, 2020

danielnelson commented Jun 1, 2020

antifuchs commented Jul 24, 2020 •

edited

antifuchs commented Jul 25, 2020

Override IP address in http_response #7598

Override IP address in http_response #7598

Comments

nicolas17 commented May 29, 2020

Feature Request

Proposal:

Current behavior:

Desired behavior:

Use case:

danielnelson commented Jun 1, 2020

antifuchs commented Jul 24, 2020 • edited

antifuchs commented Jul 25, 2020

antifuchs commented Jul 24, 2020 •

edited