Alive check API/web endpoint?

Started by Patrick M. Hausen, September 05, 2024, 02:14:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 05, 2024, 02:14:07 PM Last Edit: September 05, 2024, 04:47:20 PM by Patrick M. Hausen
Hi all,

I'd like to monitor all my OPNsense instances with Uptime Kuma. Just a binary "alive or not".

Since some are behind another NAT gateway, a simple ping would not be sufficient. I can poll the UI login and check for a string like "OPNsense" for example.

Question: is there anything even more lean and less of a burden on the firewall - like an API endpoint that returns a tiny bit of JSON even for not authenticated sessions?

Kind regards and thanks,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 05, 2024, 05:02:48 PM #1 Last Edit: September 05, 2024, 05:35:26 PM by dirtyfreebooter
there is /api/core/system/status api

Code Select
{
  "CrashReporter": {
    "statusCode": 2,
    "message": "No problems were detected.",
    "logLocation": "/crash_reporter.php",
    "timestamp": "0",
    "status": "OK"
  },
  "Firewall": {
    "statusCode": 2,
    "message": "No problems were detected.",
    "logLocation": "/ui/diagnostics/log/core/firewall",
    "timestamp": "0",
    "status": "OK"
  },
  "System": {
    "status": "OK"
  }
}

but i didn't see anything like just a simple /health -> "OK". and of course this needs API key to work.

but if that is all you need is a binary ok, you could consider just doing a HEAD on the login page and look for HTTP status 200?
September 05, 2024, 05:29:31 PM #2
Good idea, thanks.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 05, 2024, 09:21:49 PM #3
The UI answers HEAD with 403 - so thanks again, but I am sticking with GET for now.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 05, 2024, 09:41:14 PM #4
I wrote this a long time ago

https://github.com/opnsense/core/blob/033402265e5822d5e7e6501b35423a86b75a4d50/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt#L266-L275

But it's certainly easier to poll an API endpoint these days also because of less overhead, just don't expect a reply when not logged in.


Cheers,
Franco
September 05, 2024, 09:52:16 PM #5
Another option would be with ZenArmor as a dedicated mgmt network, allow rules for https/ssh/ping on the interface - to avoid traversing the internet outside of an encrypted tunnel. If only because connection tampering is a thing...


https://blog.cloudflare.com/connection-tampering/


Print
Go Up Pages1
User actions