summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-08-08Sanity-check DNS on a per-protocol basis.Steve Kemp
When a failure occurs in looking up IPv4 addresses we confirm that, similarly when/if IPv6 lookups fail we confirm that before raising the alert.
2017-08-08Updated to move ignore-dns-failure code into routine.Steve Kemp
That is then tested when resolve-errors are handled.
2017-08-08Added changelog entry for this abomination.Steve Kemp
2017-08-08Ignore bogus DNS results.Steve Kemp
We've had a problem for the past few weeks (?) where we see false DNS errors when making http/https requests with `curb`/`libcurl`. To resolve these issues properly we're going to have to rewrite the code to avoid the current gem. However that is considerable work because of the hole we've back ourself into - wanting to test both IPv4 and IPv6 "properly". We'll have to duplicate that work if we use `net/http`, or even mroe so if we use `open3` and exec `curl -4|-6 ..` For the moment this commit changes how things are handled to deal with the issue we see - which doesn't solve the problem but will mask it. When custodian runs a test it will return a status-code: * Custodian::TestResult::TEST_FAILED * The test failed, such that an alert should be raised. * Custodian::TestResult::TEST_PASSED * The test succeeded, such that any previous alert should be cleared. * Custodian::TestResult::TEST_SKIPPED * Nothing should be done. As the failure we see is very very specific - an exception is thrown of the type `Curl::Err::HostResolutionError` - we can catch that and return `TEST_SKIPPED`. That means that there will be no (urgent) alert. Obviously the potential risk of swallowing all DNS-failures is that a domain might expire and we'd never know. So we'll do a little better than merely skipping the test if there are DNS failures: * If we see a DNS failure. * Then we try to lookup the host as an A & AAAA record. * If that succeeds we decide the issue was bogus. * If that fails then the host legitimately doesn't resolve so we raise an alert. To recap: * If a host fails normally - bogus status-code, or missing text - we behave as we did in the past. * Only in the case of a DNS-error from curb/curl do we go down this horrid path. * Where we try to confirm the error, and swallow it if false. This closes #13.
2017-07-13Merge branch 'only-alert-on-both-dns-errors' into 'master'Steve Kemp
Alert in more detail on DNS failures. See merge request !10
2017-07-13Alert in more detail on DNS failures.Steve Kemp
2017-07-11Merge branch '13-log-dns-errors' into 'master'James Hannah
Updated to log the exact DNS error. See merge request !9
2017-07-11Updated to log the exact DNS error.13-log-dns-errorsSteve Kemp
This is part of #13.
2017-06-26Merge branch '12-reap-old-tests' into 'master'James Carter
Resolve "The redis view of "known_tests" is often out-of-date" Closes #12 See merge request !8
2017-06-26Document previous change.12-reap-old-testsSteve Kemp
2017-06-26Added new cron.daily-task.Steve Kemp
This will prune old tests from the `redis`-alerter - if that alerter isn't used this will be harmless.
2017-04-10Remove username/password prior to testing URL with curb.Steve Kemp
2017-04-10Merge branch '10-support-http-basic-auth' into 'master' James Hannah
Resolve "We should support HTTP-basic auth for HTTP-based status-checks." Closes #10 See merge request !7
2017-04-10Use standard URL username/password holders.10-support-http-basic-authSteve Kemp
Rather than: with auth 'username:password' We use: http://user:pass@example.com/
2017-03-28Added testcases for HTTP basic-auth.Steve Kemp
2017-03-28Support HTTP BASIC-AUthentication.Steve Kemp
Supply this like so: http://example.com/ must run http with auth 'username:passw0rd' with status 200 otherwise 'failure'
2017-03-27Merge branch 'ssl-custom-expiry' into 'master' James Hannah
Allow tests to specify the number of days before an expiring SSL certificate will generate a warning See merge request !5
2017-03-27First stab at allowing custom SSL expiry daysJames Hannah
2017-03-17Merge branch '9-ci-run-tests' into 'master' Chris Elsworth
Resolve "gitlab-ci should run the test-cases." Closes #9 See merge request !6
2017-03-17StyleChris Elsworth
2017-03-17Skip DNS-tests under CI.Steve Kemp
They fail.
2017-03-17Use the -ruby environmentSteve Kemp
2017-03-17Attempt to run the test-cases in the CI environmentSteve Kemp
2017-03-16Merge branch '7-allow-custom-prefixes' into 'master' Jamie Nguyen
Resolve "Allow subject-lines to be prefixed with a custom string." See merge request !4
2017-03-16Bump changelogSteve Kemp
2017-03-16Use the subject-prefix if it is present.Steve Kemp
2017-03-16Added helper for reading a custom-prefix.Steve Kemp
This will allow classification (by human eyes) of raised-alerts.
2017-03-06Merge branch '6-move-to-gitlab-ci' into 'master' James Carter
Move to gitlab-CI. Closes #6 See merge request !3
2017-03-06Don't package for squeeze, silly\!Steve Kemp
2017-03-06Package for squeeze->stretch.Steve Kemp
2017-03-06Move to gitlab-CI.Steve Kemp
This closes #6.
2016-12-19New releaserelease-0.32Steve Kemp
2016-12-19Merge branch '4-show-host-port-when-timing-out' into 'master' Patrick J Cherry
Show host/port when TCP timeout occurs. This is a failure case which is not 100% clear. This closes #4. See merge request !2
2016-12-19Show host/port when TCP timeout occurs.Steve Kemp
This is a failure case which is not 100% clear. This closes #4.
2016-11-04New releaserelease-0.31Steve Kemp
2016-11-03Merge branch '3-send-sni-when-falling-back-to-openssl' into 'master' James Hannah
Send the server-name-indicator (SNI) when falling back to legacy. If ruby-based SSL negotiation fails then we fallback to invoking (horridly!) openssl directly. Until now this didn't send the SNI hostname to connect to, so it could only test the first/default SSL site that was listening upon a given IP address. This commit updates things such that we send the correct hostname, from the URL under-test. Closes #3 See merge request !1
2016-11-03Send the server-name-indicator (SNI) when falling back to legacy.3-send-sni-when-falling-back-to-opensslSteve Kemp
If ruby-based SSL negotiation fails then we fallback to invoking (horridly!) openssl directly. Until now this didn't send the SNI hostname to connect to, so it could only test the first/default SSL site that was listening upon a given IP address. This commit updates things such that we send the correct hostname, from the URL under-test.
2016-07-18New releaserelease-0.30Steve Kemp
2016-07-18Fallback to using `openssl` if we can't get certificates.Steve Kemp
Since the ruby version available to wheezy doesn't support TLS 1.2 fetching the certificate from remote HTTPS servers will fail, if that is all that is available. If we hit that condition, and only that one, we'll fall back to invoking `openssl` natively. This will allow us to monitor expiration-time for remote SSL certificates, but the downside is that we no longr receive the bundle that the remote server might send - so we cannot validate the signature chain. This closes #2.
2016-07-18Remove outdated tests.Steve Kemp
2016-07-13Update error message for validation-failuSteve Kemp
2016-07-13Retry SSL checks on negotiation failure.release-0.29Steve Kemp
This prevents an endless loop.
2016-04-22Updated to fix the last remaining rubocop warnings.Steve Kemp
This involved silencing a few issues that were judged to be minor, and changing various whitespaces and function-calls. The most obvious example was changing this: assert(ret.kind_of? Array) To this: assert(ret.kind_of?(Array))
2016-04-22More rubocop fixups.Steve Kemp
These are again mostly based around whitespace-changes.
2016-04-22More rubocop fixes.Steve Kemp
2016-04-22Fixed up more rubocop warnings.Steve Kemp
Again these were whitespace-related.
2016-04-22More updates to silence rubocop style-guides.Steve Kemp
These warnings were largely whitespace-based.
2016-04-22Updated for the most recent rubocop version.Steve Kemp
This is fixes for 0.39.0
2016-04-22Updated to fix rubocop warnings.Steve Kemp
2016-04-22Renamed the README file we include.Steve Kemp