On 26.06.17 21:33, Stephane Bortzmeyer wrote:
On Thu, Jun 22, 2017 at 10:02:32PM +0200,
Gerald Vogt <v...@spamcop.net> wrote
a message of 121 lines which said:
set the vhost and uri.
And also enable SNI. Many HTTP servers these days do not serve the
expected vhost without SNI:
Well, I don't know about "many" HTTP servers, but for Apache SNI it does
not change the vhost which is served. The vhost is defined by the Host:
header in the request.
SNI is used to serve the correct certificate while the TLS connection is
established. Without SNI you'll see the certificate of the default
connection but get served the contents of the virtual host from the
Host: header.
As check_http - at least in version 2.1.4 - does not check the name in
the certificate nor the chain of trust, sni does not matter.
http_sni = true
The only difference here would be whether the server_name extension is
added to the client hello of check_http or not, but it should not change
what contents the server delivers.
This will connect to 1.2.3.4 on port 443 and do
GET /my/uri/to/test.html HTTP/1.1
Host: www.example.com
And should get you the same as
curl -v https://www.example.com/my/uri/to/test.html
Nope, because curl does SNI by default.
While technically correct, in regard to check_http it is effectively the
same and saves you the trouble of the -k and -H options.
Thus, for sake of argument check_http does the equivalent of
curl -v -k -H 'Host: www.example.com' https://1.2.3.4/my/uri/to/test.html
ignoring the name in the certificate served by the server...
-Gerald
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
