Use HTTP Proxy about ssl_exporter HOT 10 CLOSED

@fetep

from ssl_exporter.

Hi @kirkeide - the ssl_exporter operates at TCP level, so HTTP_PROXY and HTTPS_PROXY (or http_proxy and https_proxy) won't work. If you were to run a TCP proxy then you could probably use ALL_PROXY.

The switch from HTTP to TCP was a recent change in order to support non-http SSL endpoints (like ldaps://). I could add a flag, or an argument to /probe, to allow toggling between tcp and http but I'm kind of divided on whether that is a good idea or not. My initial preference is always to keep things as simple as possible.

That being said, http proxying is quite common and not always avoidable and it might be helpful to support it.

from ssl_exporter.

+1 for supporting it, but I do understand the desire to keep things simple.

from ssl_exporter.

Hi, @kirkeide. Sorry for the delay - life has been pretty hectic recently.

After some thought, I’ve decided to reinstate the http client, which will make proxying possible.

My favoured approach to this problem would be to use the target’s address to signal to the exporter what kind of connection to make to the target. I think this makes sense. If you’re using https:// in the URL, you would naturally expect that the connection is made over https.

What the exporter is doing now, converting that address to the format <target>:443 and making a tcp request, is actually somewhat dishonest and leads to exactly the kind of confusion in this ticket. If you’re using the format https://<domain> you would probably expect https proxying with HTTPS_PROXY to work, just like it would with curl.

In cases where a port and no scheme is given (localhost:443), I think we should continue to operate as a TCP client. If neither is given, I think it’s safe to default to what I imagine is overwhelmingly the most common case (https on port 443).

I’ve made an initial stab at this on this branch. It seems to work for me but could you test it in your environment?

from ssl_exporter.

Very cool. I agree with your approach and will test it as quickly as I can (but this may still take a few days to get done). Thanks!

from ssl_exporter.

I finally had some time to test this, but behind my work firewall I cannot easily pull down a functional go environment and needed dependencies. Can you create an artifact for linux_amd64 that I can test? Thanks!

from ssl_exporter.

@kirkeide Here you go: ssl_exporter-https-proxy.tar.gz

from ssl_exporter.

from ssl_exporter.

After endless delays, I'm happy to say initial testing is working great! I will post any oddities or errors as we encounter them.

Thanks again!

Kirk

from ssl_exporter.

Great! I've released the changes as v0.6.0. Thanks for the issue and your help in testing.

from ssl_exporter.