From f56a20ddbc00ba204c221cd34d388c4a2edf279d Mon Sep 17 00:00:00 2001 From: hudashot Date: Sun, 14 Feb 2016 21:53:32 +0000 Subject: [PATCH] Support TLS in TCP connectionst This depends on prometheus/common#31 --- README.md | 8 ++++++++ blackbox.yml | 8 ++++++++ http.go | 12 ------------ main.go | 5 ++++- tcp.go | 21 ++++++++++++++++++++- tls.go | 16 ++++++++++++++++ 6 files changed, 56 insertions(+), 14 deletions(-) create mode 100644 tls.go diff --git a/README.md b/README.md index 7b698f0..5bd0278 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,14 @@ modules: tcp_connect: prober: tcp timeout: 5s + pop3s_banner: + prober: tcp + tcp: + query_response: + - expect: "^+OK" + tls: true + tls_config: + insecure_skip_verify: false ssh_banner: prober: tcp timeout: 5s diff --git a/blackbox.yml b/blackbox.yml index 09d1323..985b38b 100644 --- a/blackbox.yml +++ b/blackbox.yml @@ -11,6 +11,14 @@ modules: tcp_connect: prober: tcp timeout: 5s + pop3s_banner: + prober: tcp + tcp: + query_response: + - expect: "^+OK" + tls: true + tls_config: + insecure_skip_verify: false icmp: prober: icmp timeout: 5s diff --git a/http.go b/http.go index a4ee69f..7253d5d 100644 --- a/http.go +++ b/http.go @@ -1,7 +1,6 @@ package main import ( - "crypto/tls" "errors" "fmt" "io" @@ -9,7 +8,6 @@ import ( "net/http" "regexp" "strings" - "time" "github.com/prometheus/log" ) @@ -43,16 +41,6 @@ func matchRegularExpressions(reader io.Reader, config HTTPProbe) bool { return true } -func getEarliestCertExpiry(state *tls.ConnectionState) time.Time { - earliest := time.Time{} - for _, cert := range state.PeerCertificates { - if (earliest.IsZero() || cert.NotAfter.Before(earliest)) && !cert.NotAfter.IsZero() { - earliest = cert.NotAfter - } - } - return earliest -} - func probeHTTP(target string, w http.ResponseWriter, module Module) (success bool) { var isSSL, redirects int config := module.HTTP diff --git a/main.go b/main.go index 7ffdc19..b41678b 100644 --- a/main.go +++ b/main.go @@ -10,6 +10,7 @@ import ( "gopkg.in/yaml.v2" "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/common/config" "github.com/prometheus/log" ) @@ -45,7 +46,9 @@ type QueryResponse struct { } type TCPProbe struct { - QueryResponse []QueryResponse `yaml:"query_response"` + QueryResponse []QueryResponse `yaml:"query_response"` + TLS bool `yaml:"tls"` + TLSConfig config.TLSConfig `yaml:"tls_config"` } type ICMPProbe struct { diff --git a/tcp.go b/tcp.go index ff8950d..8942b1b 100644 --- a/tcp.go +++ b/tcp.go @@ -2,6 +2,7 @@ package main import ( "bufio" + "crypto/tls" "fmt" "net" "net/http" @@ -11,19 +12,37 @@ import ( "github.com/prometheus/log" ) +func dialTCP(target string, module Module) (net.Conn, error) { + dialer := &net.Dialer{Timeout: module.Timeout} + if !module.TCP.TLS { + return dialer.Dial("tcp", target) + } + config, err := module.TCP.TLSConfig.GenerateConfig() + if err != nil { + return nil, err + } + return tls.DialWithDialer(dialer, "tcp", target, config) +} + func probeTCP(target string, w http.ResponseWriter, module Module) bool { deadline := time.Now().Add(module.Timeout) - conn, err := net.DialTimeout("tcp", target, module.Timeout) + conn, err := dialTCP(target, module) if err != nil { return false } defer conn.Close() + // Set a deadline to prevent the following code from blocking forever. // If a deadline cannot be set, better fail the probe by returning an error // now rather than blocking forever. if err := conn.SetDeadline(deadline); err != nil { return false } + if module.TCP.TLS { + state := conn.(*tls.Conn).ConnectionState() + fmt.Fprintf(w, "probe_ssl_earliest_cert_expiry %f\n", + float64(getEarliestCertExpiry(&state).UnixNano())/1e9) + } scanner := bufio.NewScanner(conn) for _, qr := range module.TCP.QueryResponse { log.Debugf("Processing query response entry %+v", qr) diff --git a/tls.go b/tls.go new file mode 100644 index 0000000..2002454 --- /dev/null +++ b/tls.go @@ -0,0 +1,16 @@ +package main + +import ( + "crypto/tls" + "time" +) + +func getEarliestCertExpiry(state *tls.ConnectionState) time.Time { + earliest := time.Time{} + for _, cert := range state.PeerCertificates { + if (earliest.IsZero() || cert.NotAfter.Before(earliest)) && !cert.NotAfter.IsZero() { + earliest = cert.NotAfter + } + } + return earliest +} -- 2.25.1