Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add regexp matching of HTTP response headers to the http probe #419

Merged
merged 11 commits into from
Feb 21, 2019
Merged

Add regexp matching of HTTP response headers to the http probe #419

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
f6cdd9c
Add regexp matching of HTTP response headers to the http probe
gvsmirnov Feb 16, 2019
2c2a8ee
Fixed a copy-paste error in the documentation
gvsmirnov Feb 16, 2019
aa18657
Remove potentially secret header values from logs
gvsmirnov Feb 16, 2019
b5c2f94
Rename two fields in HTTPProbe config for clarity and consistency
gvsmirnov Feb 17, 2019
4bf57e1
Add support for empty header values and multi-value headers
gvsmirnov Feb 17, 2019
6abb43e
Canonicalize header names when matching
gvsmirnov Feb 18, 2019
4e794b3
Breaking change: rename config parametes of HTTP probe for consistency
gvsmirnov Feb 18, 2019
7c95fb3
Rename header match config properties to avoid a confusing postfix
gvsmirnov Feb 18, 2019
0ed9994
Reused existing prometheus metrics for failed http header matches
gvsmirnov Feb 18, 2019
3527651
Grammar, style and formatting
gvsmirnov Feb 19, 2019
e7e7afb
Always require regexp for http header matching
gvsmirnov Feb 20, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions CONFIGURATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,14 +58,30 @@ The other placeholders are specified separately.
# Probe fails if SSL is not present.
[ fail_if_not_ssl: <boolean> | default = false ]

# Probe fails if response matches regex.
# Probe fails if response body matches regex.
fail_if_matches_regexp:
[ - <regex>, ... ]

# Probe fails if response does not match regex.
# Probe fails if response body does not match regex.
fail_if_not_matches_regexp:
[ - <regex>, ... ]

# Probe fails if response header matches regex.
fail_if_header_matches_regexp:
[ - [ header: <string>,
[ regex: <regex>, ]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation seems off here

Copy link
Contributor Author

@gvsmirnov gvsmirnov Feb 19, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, does not look quite good. I got it from the prometheus config documentation, e.g. here when the same level contains both optional and non-optional parameters, then it looks like this (comments stripped):

job_name: <job_name>
[ scrape_interval: <duration> | default = <global_config.scrape_interval> ]

In here, though, the regex should be named regexp and be made non-optional, so it would look like this:

  # Probe fails if response header matches regex. For headers with multiple values, fails if *at least one* matches.
  fail_if_header_matches:
    [ - [ header: <string>,
          regexp: <regex>,
          [ allow_missing: <boolean> | default = false ]
        ], ...
    ]

Would that be OK?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking around, the only similar one we have is some of pagerduty for the AM. There we break it out as a different type.

Copy link
Contributor Author

@gvsmirnov gvsmirnov Feb 19, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another example right in this repo is query_response in tcp_probe, it does not break it out as a separate type. That's why I did not do it here. Can extract both or keep inlined like above

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For query_response they're all optional though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, extracted only the http header match spec.

[ allow_missing: <boolean> | default = false ]
], ...
]

# Probe fails if response header does not match regex.
fail_if_header_not_matches_regexp:
[ - [ header: <string>,
[ regex: <regex>, ]
[ allow_missing: <boolean> | default = false ]
], ...
]

# Configuration for TLS protocol of HTTP probe.
tls_config:
[ <tls_config> ]
Expand Down
52 changes: 39 additions & 13 deletions config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,19 +80,27 @@ type Module struct {

type HTTPProbe struct {
// Defaults to 2xx.
ValidStatusCodes []int `yaml:"valid_status_codes,omitempty"`
ValidHTTPVersions []string `yaml:"valid_http_versions,omitempty"`
IPProtocol string `yaml:"preferred_ip_protocol,omitempty"`
IPProtocolFallback bool `yaml:"ip_protocol_fallback,omitempty"`
NoFollowRedirects bool `yaml:"no_follow_redirects,omitempty"`
FailIfSSL bool `yaml:"fail_if_ssl,omitempty"`
FailIfNotSSL bool `yaml:"fail_if_not_ssl,omitempty"`
Method string `yaml:"method,omitempty"`
Headers map[string]string `yaml:"headers,omitempty"`
FailIfMatchesRegexp []string `yaml:"fail_if_matches_regexp,omitempty"`
FailIfNotMatchesRegexp []string `yaml:"fail_if_not_matches_regexp,omitempty"`
Body string `yaml:"body,omitempty"`
HTTPClientConfig config.HTTPClientConfig `yaml:"http_client_config,inline"`
ValidStatusCodes []int `yaml:"valid_status_codes,omitempty"`
ValidHTTPVersions []string `yaml:"valid_http_versions,omitempty"`
IPProtocol string `yaml:"preferred_ip_protocol,omitempty"`
IPProtocolFallback bool `yaml:"ip_protocol_fallback,omitempty"`
NoFollowRedirects bool `yaml:"no_follow_redirects,omitempty"`
FailIfSSL bool `yaml:"fail_if_ssl,omitempty"`
FailIfNotSSL bool `yaml:"fail_if_not_ssl,omitempty"`
Method string `yaml:"method,omitempty"`
Headers map[string]string `yaml:"headers,omitempty"`
FailIfMatchesRegexp []string `yaml:"fail_if_matches_regexp,omitempty"`
FailIfNotMatchesRegexp []string `yaml:"fail_if_not_matches_regexp,omitempty"`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these two above be renamed to FailIfBodyMatchesRegexp and FailIfBodyNotMatchesRegexp ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I would rename them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

FailIfHeaderMatchesRegexp []HeaderMatch `yaml:"fail_if_header_matches_regexp,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't a string, so I'd remove the _regexp from the name to avoid confusion.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where would the confusion arise from? Is there a convention that properties ending with _regexp are always strings that represent regular expression?

I could rename the properties so it would be like this:

# ...
fail_if_body_matches_regexp:
  - 'Thou shall not pass'
fail_if_header_matches:
  - header: Host
    regexp: example.com

It would lose the consistency between property names for header and body, though. Is it worth it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the data structures are different

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

FailIfHeaderNotMatchesRegexp []HeaderMatch `yaml:"fail_if_header_not_matches_regexp,omitempty"`
Body string `yaml:"body,omitempty"`
HTTPClientConfig config.HTTPClientConfig `yaml:"http_client_config,inline"`
}

type HeaderMatch struct {
Header string `yaml:"header,omitempty"`
Regexp string `yaml:"regexp,omitempty"`
AllowMissing bool `yaml:"allow_missing,omitempty"`
}

type QueryResponse struct {
Expand Down Expand Up @@ -217,3 +225,21 @@ func (s *QueryResponse) UnmarshalYAML(unmarshal func(interface{}) error) error {
}
return nil
}

// UnmarshalYAML implements the yaml.Unmarshaler interface.
func (s *HeaderMatch) UnmarshalYAML(unmarshal func(interface{}) error) error {
type plain HeaderMatch
if err := unmarshal((*plain)(s)); err != nil {
return err
}

if s.Header == "" {
return errors.New("header name must be set for HTTP header matchers")
}

if !s.AllowMissing && s.Regexp == "" {
return errors.New("regexp must be set for required HTTP headers")
}

return nil
}
4 changes: 4 additions & 0 deletions config/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ func TestLoadBadConfigs(t *testing.T) {
ConfigFile: "testdata/invalid-dns-module.yml",
ExpectedError: "error parsing config file: query name must be set for DNS module",
},
{
ConfigFile: "testdata/invalid-http-header-match.yml",
ExpectedError: "error parsing config file: regexp must be set for required HTTP headers",
},
}
for i, test := range tests {
err := sc.ReloadConfig(test.ConfigFile)
Expand Down
11 changes: 11 additions & 0 deletions config/testdata/blackbox-good.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,14 @@ modules:
ip_protocol_fallback: false
validate_answer_rrs:
fail_if_matches_regexp: [test]
http_header_match_origin:
prober: http
timeout: 5s
http:
method: GET
headers:
Origin: example.com
fail_if_header_not_matches_regexp:
- header: Access-Control-Allow-Origin
regexp: '(\*|example\.com)'
allow_missing: false
8 changes: 8 additions & 0 deletions config/testdata/invalid-http-header-match.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
modules:
http_headers:
prober: http
timeout: 5s
http:
fail_if_header_not_matches_regexp:
- header: Access-Control-Allow-Origin
allow_missing: false
64 changes: 64 additions & 0 deletions prober/http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,55 @@ func matchRegularExpressions(reader io.Reader, httpConfig config.HTTPProbe, logg
return true
}

func matchRegularExpressionsOnHeaders(header http.Header, httpConfig config.HTTPProbe, logger log.Logger) bool {
for _, headerMatchSpec := range httpConfig.FailIfHeaderMatchesRegexp {
val := header.Get(headerMatchSpec.Header)
if val == "" {
if !headerMatchSpec.AllowMissing {
level.Error(logger).Log("msg", "Missing required header", "header", headerMatchSpec.Header)
return false
} else {
continue // no need to match any regex on missing headers
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"No", and full stop

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed here and in the other place.

}
}

re, err := regexp.Compile(headerMatchSpec.Regexp)
if err != nil {
level.Error(logger).Log("msg", "Could not compile regular expression", "regexp", headerMatchSpec.Regexp, "err", err)
return false
}
if re.MatchString(val) {
level.Error(logger).Log("msg", "Header matched regular expression", "header", headerMatchSpec.Header,
"val", val, "regexp", headerMatchSpec.Regexp)
return false
}
}
for _, headerMatchSpec := range httpConfig.FailIfHeaderNotMatchesRegexp {
val := header.Get(headerMatchSpec.Header)
if val == "" {
if !headerMatchSpec.AllowMissing {
level.Error(logger).Log("msg", "Missing required header", "header", headerMatchSpec.Header)
return false
} else {
continue // no need to match any regex on missing headers
}
}

re, err := regexp.Compile(headerMatchSpec.Regexp)
if err != nil {
level.Error(logger).Log("msg", "Could not compile regular expression", "regexp", headerMatchSpec.Regexp, "err", err)
return false
}
if !re.MatchString(val) {
level.Error(logger).Log("msg", "Header did not match regular expression", "header", headerMatchSpec.Header,
"val", val, "regexp", headerMatchSpec.Regexp)
return false
}
}

return true
}

// roundTripTrace holds timings for a single HTTP roundtrip.
type roundTripTrace struct {
tls bool
Expand Down Expand Up @@ -173,6 +222,11 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
Help: "Indicates if probe failed due to regex",
})

probeFailedDueToHeaders = prometheus.NewGauge(prometheus.GaugeOpts{
Name: "probe_failed_due_to_headers",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probe_http_

falied_due_regex should already cover this

Copy link
Contributor Author

@gvsmirnov gvsmirnov Feb 18, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probe_http

Thee are several other labels that do not have the http: probe_ssl_earliest_cert_expiry and probe_failed_due_to_regex. Should they be changed, too? Or can I just ditch the newly introduced probe_failed_due_to_headers and keep the rest as is?

EDIT: formatting

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They should be changed, but at least the ssl one is commonly used for alerting so we need to be a little careful so not now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I will not touch the existing labels.

But I am not sure if representing the failed header matches with probe_failed_due_to_regex is the right way. It would be helpful if the user could see immediately from the metrics where the failure originated from. I do not see any drawbacks to this either (the extra disk usage would be negligible).

If you do insist, I can reuse probe_failed_due_to_regex. Do you insist?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest reusing, either that or have two more clearly named metrics.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, reused existing metric. Renaming existing ones would be a more dangerous breaking change indeed.

Help: "Indicates if probe failed due to headers",
})

probeHTTPLastModified = prometheus.NewGauge(prometheus.GaugeOpts{
Name: "probe_http_last_modified_timestamp_seconds",
Help: "Returns the Last-Modified HTTP response header in unixtime",
Expand All @@ -190,6 +244,7 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
registry.MustRegister(statusCodeGauge)
registry.MustRegister(probeHTTPVersionGauge)
registry.MustRegister(probeFailedDueToRegex)
registry.MustRegister(probeFailedDueToHeaders)

httpConfig := module.HTTP

Expand Down Expand Up @@ -320,6 +375,15 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
level.Info(logger).Log("msg", "Invalid HTTP response status code, wanted 2xx", "status_code", resp.StatusCode)
}

if success && (len(httpConfig.FailIfHeaderMatchesRegexp) > 0 || len(httpConfig.FailIfHeaderNotMatchesRegexp) > 0) {
success = matchRegularExpressionsOnHeaders(resp.Header, httpConfig, logger)
if success {
probeFailedDueToHeaders.Set(0)
} else {
probeFailedDueToHeaders.Set(1)
}
}

if success && (len(httpConfig.FailIfMatchesRegexp) > 0 || len(httpConfig.FailIfNotMatchesRegexp) > 0) {
success = matchRegularExpressions(resp.Body, httpConfig, logger)
if success {
Expand Down
43 changes: 43 additions & 0 deletions prober/http_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -406,6 +406,49 @@ func TestHTTPHeaders(t *testing.T) {
}
}

func TestHTTPHeaderMatching(t *testing.T) {
tests := []struct {
FailIfMatches bool // true means should fail if matches, false means should fail if does not match
Rule config.HeaderMatch
Value string
ShouldSucceed bool
}{
{true, config.HeaderMatch{"Content-Type", "text/javascript", false}, "text/javascript", false},
{true, config.HeaderMatch{"Content-Type", "text/javascript", false}, "application/octet-stream", true},
{true, config.HeaderMatch{"Content-Type", "text/javascript", false}, "", false},
{true, config.HeaderMatch{"Content-Type", "", true}, "", true},

{false, config.HeaderMatch{"Content-Type", "application/octet-stream", false}, "text/javascript", false},
{false, config.HeaderMatch{"Content-Type", "application/octet-stream", false}, "application/octet-stream", true},
{false, config.HeaderMatch{"Content-Type", "application/octet-stream", false}, "", false},
{false, config.HeaderMatch{"Content-Type", "", true}, "", true},
}
for i, test := range tests {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if test.Value != "" {
w.Header().Add(test.Rule.Header, test.Value)
}
}))
defer ts.Close()
registry := prometheus.NewRegistry()
testCTX, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()

var httpProbe config.HTTPProbe

if test.FailIfMatches {
httpProbe = config.HTTPProbe{IPProtocolFallback: true, FailIfHeaderMatchesRegexp: []config.HeaderMatch{test.Rule}}
} else {
httpProbe = config.HTTPProbe{IPProtocolFallback: true, FailIfHeaderNotMatchesRegexp: []config.HeaderMatch{test.Rule}}
}

result := ProbeHTTP(testCTX, ts.URL, config.Module{Timeout: time.Second, HTTP: httpProbe}, registry, log.NewNopLogger())
if result != test.ShouldSucceed {
t.Fatalf("Test %d had unexpected result: succeeded: %t, expected: %+v", i, result, test)
}
}
}

func TestFailIfSelfSignedCA(t *testing.T) {
ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
}))
Expand Down