HTTP Monitor that follows redirects

Will the application accept basic authentication? Or does it only use NLTM? If the former, you could include an auth header in the monitor send string. The header name is Authorization and the value should be a base64 encoded user:pass. The send string would be something like:

 

 

GET /monitor_page.asp\r\nAuthorization: Basic dXNlcjpwYXNz\r\nHost: \r\nConnection: close\r\n

 

 

If it's NTLM you couldn't use a standard HTTP monitor to authenticate against the application as it requires multiple dynamic HTTP requests to perform the authentication. I think curl supports NTLM auth though, so you could potentially write an external monitor which references curl to do this.

 

 

Aaron

Here is an example for using curl and NTLM if you do need to use an external monitor:

 

 

curl --ntlm -k -v -u 'DOMAIN\user:pass' https://www.example.com/login.asp

 

 

Aaron

 

Thanks Hoolio, we've tried using your suggestion in conjunction with one of the template scripts we found in devcentral (see below) but we are still unable to get it to work ie. when doing a tcpdump we can see the packets hitting the destination pool member but we keep getting a 401 Unauthorized response. When running the same curl command, with the same logon credentials, locally on the desktop as a test, we get successful communication, ie. curl follows the redirects correctly and eventually receives a 200 OK.

 

 

We placed the script in the /usr/bin/monitors folder and referenced it in the monitor template via the GUI, specifying the variables "URI = /" and "RECV = HTTP/1.1 200".

 

 

Using this as the only monitor for the pool, the two members are shown as marked down. Anyone have any ideas ?

 

 

 

remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)

 

IP=`echo ${1} | sed 's/::ffff://'`

 

PORT=${2}

 

PIDFILE="/var/run/`basename ${0}`.${IP}_${PORT}.pid"

 

 

kill of the last instance of this monitor if hung and log current pid

 

if [ -f $PIDFILE ]

 

then

 

kill -9 `cat $PIDFILE` > /dev/null 2>&1

 

fi

 

echo "$$" > $PIDFILE

 

 

send request & check for expected response

 

curl -L -b cookie.txt -c cookie.txt --ntlm -k -v -u domain\username:password http://${IP}:${PORT}${URI} | grep -i "${RECV}" 2>&1 > /dev/null

 

 

mark node UP if expected response was received

 

if [ $? -eq 0 ]

 

then

 

echo "UP"

 

fi

 

rm -f $PIDFILE

 

exit

What do you see if you call the shell script manually using valid parameters for the script?

 

 

Aaron

I'm having a similar problem with an external monitor using the script and NTLM. From an SSH login to the LTM I'm able to input my command and watch the "200 OK" response come up after the initial "401 Unauthorized" happens -- the LTM just tries a second time and is successful.

 

My command is like this:

 

curl --ntlm -k -v -u 'MYDOMAIN\USER:' http://SERVER-FQDN/pages/default.aspx -H "Host: SERVER"

 

I had to put the "--ntlm" as just "-ntlm" would keep trying to send the authentication in basic instead.

 

When I used the script, I modified the "HTTP Monitor_c URL_ GET With Host Specific Headers" script with the IP and host name in my situation, and subbed in the curl NTLM command but left the grep portion as written. I added the URI portion and RECV portion to the monitor via the GUI. As soon as I have the RECV portion filled in, the node is marked as down. I end up with the same result no matter if I use the IP of the site or the FQDN.

 

I feel like I'm close to having things work, but would love any input! This is my first stab at an external monitor with NTLM, so it's been a learning experience.

 

Thanks much --

 

Sam

Just a quick update - I ran the external script from an SSH session at the LTM and ran it with the "sh -x" command in front. I was better able to see the output.

 

 

Although I initially receive a 401 Unauthorized, there is a second attempt which uses the same NTLM credentials and then results in a 200 OK. My grep search string was for "200 OK" and even though I clearly saw it in the output, the result was that it wasn't seen and thus marked the node down. I changed the grep search string to a few other items expected on the page itself and ended up with the correct UP response.

 

 

Trial and error to say the least!

I ended up speaking too soon about the success of the external monitor. My LTM runs the script from the SSH console w/out a problem at all. When it's applied against the pool via the LTM GUI, the node in the pool is immediately marked down. I opened a case w/ F5 support and also grabbed two packet captures: one from the LTM when I run the script via the SSH console (I see all the HTTP traffic generated by the script), and a second from the LTM when the monitor is applied to the pool (which shows no HTTP traffic at all). Perhaps the script isn't running when applied as an external monitor, though I am 100% certain that I've typed the script name correctly.

 

 

It's extremely perplexing! Hopefully an answer pops up soon that I can share with everyone.

Update for anyone interested --

 

 

The issue was that I'd removed the "!/bin/sh" command at the top of the script (although it took two F5 support engineers to find that). This has been my first foray into creating external monitors and I'm not well-versed with the command syntax yet.

 

 

Hi, could you post the final result for your external monitor using curl for an NTLTM pool?

 

 

Thanks,

 

Aaron

Posted By hoolio on 07/13/2009 6:54 AM

 

Hi, could you post the final result for your external monitor using curl for an NTLTM pool?

 

Thanks,

 

Aaron

 

 

 

Aaron, here is one of the successful cURL commands against NTLM pools that I have gotten up and running ... (this is on a 9.3.1 setup)

 

 

This is used for SharePoint. The grep command would NOT give me a successful response if I queried for specific HTTP responses (i.e. "200 OK") so I had to look for text on the page being requested. It also follows the redirects, as the first time the monitor runs it receives a "401 Unauthorized" which I'm assuming equates to the login box popping up if viewed over a browser. The script tries a login a second time, which is accepted and then looks for the text specified. If you run it from the SSH console you'll see the entire process.

 

 

!/bin/sh

 

remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)

 

IP=`echo ${1} | sed 's/::ffff://'`

 

IP=${1}

 

PORT=${2}

 

PIDFILE="/var/run/`basename ${0}`.${IP}_${PORT}.pid"

 

kill of the last instance of this monitor if hung and log current pid

 

if [ -f $PIDFILE ]

 

then

 

kill -9 `cat $PIDFILE` > /dev/null 2>&1

 

fi

 

echo "$$" > $PIDFILE

 

send request & check for expected response

 

curl -L --ntlm -k -v --user 'username@domain.org:password' http://${IP}:${PORT}/Pages/Default.aspx -H "Host: host.domain.org" | grep -i "Desired text on requested page" 2>&1 > /dev/null

 

mark node UP if expected response was received

 

if [ $? -eq 0 ]

 

then

 

echo "UP"

 

fi

 

rm -f $PIDFILE

 

exit