Hi all,
I'd like to monitor all my OPNsense instances with Uptime Kuma. Just a binary "alive or not".
Since some are behind another NAT gateway, a simple ping would not be sufficient. I can poll the UI login and check for a string like "OPNsense" for example.
Question: is there anything even more lean and less of a burden on the firewall - like an API endpoint that returns a tiny bit of JSON even for not authenticated sessions?
Kind regards and thanks,
Patrick
there is /api/core/system/status api
{
"CrashReporter": {
"statusCode": 2,
"message": "No problems were detected.",
"logLocation": "/crash_reporter.php",
"timestamp": "0",
"status": "OK"
},
"Firewall": {
"statusCode": 2,
"message": "No problems were detected.",
"logLocation": "/ui/diagnostics/log/core/firewall",
"timestamp": "0",
"status": "OK"
},
"System": {
"status": "OK"
}
}
but i didn't see anything like just a simple /health -> "OK". and of course this needs API key to work.
but if that is all you need is a binary ok, you could consider just doing a HEAD on the login page and look for HTTP status 200?
Good idea, thanks.
The UI answers HEAD with 403 - so thanks again, but I am sticking with GET for now.
I wrote this a long time ago
https://github.com/opnsense/core/blob/033402265e5822d5e7e6501b35423a86b75a4d50/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt#L266-L275
But it's certainly easier to poll an API endpoint these days also because of less overhead, just don't expect a reply when not logged in.
Cheers,
Franco
Another option would be with ZenArmor as a dedicated mgmt network, allow rules for https/ssh/ping on the interface - to avoid traversing the internet outside of an encrypted tunnel. If only because connection tampering is a thing...
https://blog.cloudflare.com/connection-tampering/ (https://blog.cloudflare.com/connection-tampering/)