New feature: Checking HTTP codes

Author: cageyv

.github/workflows/base.yml

@@ -78,4 +78,5 @@ jobs:
           python3 ssl-check-to-slack.py
         env:
           HOOK_URL: "https://hooks.slack.com/services/XXXXXXX/XXXXXXX/XXXXXXXXXXXX"
-          HOSTNAMES: "fivexl.io"
+          HOSTNAMES: "fivexl.io"
+          HEALTH_CHECK_MATCHER: "200-399"

README.md

@@ -7,7 +7,7 @@ Simple SSL check and expiring certificates reminder with additional DNS check an
 ```hcl
 module "ssl_checker" {
   source         = "fivexl/ssl-checker/aws"
-  version        = "1.0.0"
+  version        = "1.0.1"
   hostnames      = ["fivexl.io", "google.com"]
   slack_hook_url = "https://hooks.slack.com/services/XXXXXXX/XXXXXXX/XXXXXXXXXXXX"
 }
@@ -32,6 +32,7 @@ module "ssl_checker" {
 | cloudwatch_logs_retention_in_days | Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `14` | no |
 | function_name | Lambda function name. | `string` | `"ssl-checker"` | no |
 | hostnames | The list of DNS names that should be monitored. e.g.: [\"example.com\"]. | `list(string)` | | yes |
+| health_check_matcher | The response HTTP codes to use when checking for a healthy responses from a hostnames. e.g.: \"200,201,202-399\". | `string` | `"200-399"` | no |
 | scan_commands | List of scan commands types witch will run against hostnames. Any type supported by [SSLyze](https://nabla-c0d3.github.io/sslyze/documentation/available-scan-commands.html). | `list(string)` | `["certificate_info", "robot", "tls_compression", "tls_fallback_scsv", "heartbleed","http_headers", "openssl_ccs_injection", "session_renegotiation", "tls_1_1_cipher_suites","tls_1_2_cipher_suites", "tls_1_3_cipher_suites"]` | no |
 | schedule_expression | The scheduling expression. How often check hostnames. For example, `cron(0/5 * * * ? *)` or `rate(5 minutes)`. | `string` | `"cron(0/5 * * * ? *)"` | no |
 | slack_hook_url | Slack incoming webhook URL. | `string` | | yes |
@@ -50,6 +51,7 @@ Configuration is done via env variables
 
 * `HOOK_URL` - Slack web hook URL where to send events. This is a mandatory parameter.
 * `HOSTNAMES` - Comma separated string with domain names. This is a mandatory parameter.
+* `HEALTH_CHECK_MATCHER` -  The response HTTP codes to use when checking for a healthy responses from a hostnames. You can specify multiple values (for example, "200,202" for HTTP(s)) or a range of values (for example, "200-299" or "0-99"). Default - `'200-399'`
 * `CERTIFICATE_EXPIRATION_NOTICE_DAYS` -  How many days before the expiration date of the certificate to send reminders. Default - `'7'`
 * `SCAN_COMMANDS` - Comma separated string with scan commands types witch will run against hostnames. Any type supported by SSLyze.
 

docker-compose.yml

@@ -7,4 +7,5 @@ services:
     environment:
       HOOK_URL: "https://hooks.slack.com/services/XXXXXXXXXXXXXXXXXXXXXXXXXX"
       HOSTNAMES: "fivexl.io"
+      HEALTH_CHECK_MATCHER: "200-399"
       CERTIFICATE_EXPIRATION_NOTICE_DAYS: "7"

main.tf

@@ -32,6 +32,7 @@ module "lambda" {
   environment_variables = {
     HOOK_URL                           = var.slack_hook_url
     HOSTNAMES                          = join(",", var.hostnames)
+    HEALTH_CHECK_MATCHER               = var.health_check_matcher
     CERTIFICATE_EXPIRATION_NOTICE_DAYS = var.certificate_expiration_notice_days
     SCAN_COMMANDS                      = join(",", var.scan_commands)
   }

ssl-check-to-slack.py

@@ -26,6 +26,26 @@ def read_env_variable_or_die(env_var_name):
     return value
 
 
+def get_response_status(hostname):
+    connection = http.client.HTTPSConnection(hostname)
+    connection.request("GET", "/")
+    response = connection.getresponse()
+    return response.status
+
+
+def split_matcher(matcher):
+    result = []
+    comma_list = matcher.split(',')
+    for item in comma_list:
+        dash_list = item.split('-')
+        if len(dash_list) == 1:
+            result.append(int(dash_list[0]))
+        else:
+            for element in list(range(int(dash_list[0]), int(dash_list[1]) + 1)):
+                result.append(element)
+    return set(result)
+
+
 # Slack web hook example
 # https://hooks.slack.com/services/XXXXXXX/XXXXXXX/XXXXXXXXXXXX
 def post_slack_message(hook_url, message):
@@ -72,6 +92,7 @@ def main(event, context):
     logger.info('Reading configuration...')
     slack_web_hook_url = read_env_variable_or_die('HOOK_URL')
     hostnames = read_env_variable_or_die('HOSTNAMES').split(',')
+    health_check_matcher = split_matcher(str(os.environ.get('HEALTH_CHECK_MATCHER', '200-399,201')))
     certificate_expiration_notice_days = int(os.environ.get('CERTIFICATE_EXPIRATION_NOTICE_DAYS', '7'))
     # https://nabla-c0d3.github.io/sslyze/documentation/available-scan-commands.html
     scan_commands = set(os.environ.get('SCAN_COMMANDS',
@@ -92,12 +113,17 @@ def main(event, context):
             try:
                 logger.debug(f'Connect: {hostname} - Testing...')
                 server_info = ServerConnectivityTester().perform(server_location)
+                response_status = get_response_status(hostname)
+                if response_status not in health_check_matcher:
+                    raise ConnectionToServerFailed(server_info.server_location, server_info.network_configuration,
+                                                   error_message=f'HTTP Error. Status code: {response_status}')
                 servers_to_scan.append(server_info)
                 logger.debug(f'Connect: {hostname} - OK')
             except ConnectionToServerFailed as e:
                 logger.error(f'Connect: {hostname} - ERROR: {e.error_message}')
                 message = f'URL is not available! Connect error: {e.error_message}'
-                post_slack_message(slack_web_hook_url, format_ssl_check_to_slack_message(f'https://{hostname}', message))
+                post_slack_message(slack_web_hook_url,
+                                   format_ssl_check_to_slack_message(f'https://{hostname}', message))
             except Exception as e:
                 logger.error(f'Connect: {hostname} - ERROR: {e}')
                 post_slack_message(slack_web_hook_url, format_error_to_slack_message(str(e)))
@@ -139,29 +165,36 @@ def main(event, context):
                     logger.error(f'TLS: {server_scan_result_hostname} - ERROR: Not valid before: {not_valid_before}. '
                                  f'Now is: {date_current}')
                     message = f'SSL certificate not valid before: {not_valid_before}. Now is: {date_current}'
-                    post_slack_message(slack_web_hook_url, format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
+                    post_slack_message(slack_web_hook_url,
+                                       format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}',
+                                                                         message))
                 delta = not_valid_after - date_current
                 if delta.days <= certificate_expiration_notice_days:
                     logger.error(f'TLS: {server_scan_result_hostname} - ERROR: Expires in less than {delta.days} days')
                     message = f'SSL certificate expires in less than: {delta.days} days.'
-                    post_slack_message(slack_web_hook_url, format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
+                    post_slack_message(slack_web_hook_url,
+                                       format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}',
+                                                                         message))
                 else:
                     logger.info(f'TLS: {server_scan_result_hostname} - OK: Valid for next {delta.days} days')
             if not any(subject_matches_hostname):
                 logger.error(f'TLS: {server_scan_result_hostname} - ERROR: No subject matches')
                 message = 'SSL certificate no subject matches.'
-                post_slack_message(slack_web_hook_url, format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
+                post_slack_message(slack_web_hook_url,
+                                   format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
             if not all(chain_has_valid_order):
                 logger.error(f'TLS: {server_scan_result_hostname} - ERROR: Chain has no valid order')
                 message = 'SSL certificate chain has no valid order.'
-                post_slack_message(slack_web_hook_url, format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
+                post_slack_message(slack_web_hook_url,
+                                   format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
         except KeyError:
             pass
         # Scan commands that were run with errors
         for scan_command, error in server_scan_result.scan_commands_errors.items():
             logger.error(f'{scan_command}: {server_scan_result_hostname} - ERROR: {error.exception_trace}')
             message = f'{scan_command} failed with error: {error.exception_trace}'
-            post_slack_message(slack_web_hook_url, format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
+            post_slack_message(slack_web_hook_url,
+                               format_ssl_check_to_slack_message(f'https://{server_scan_result_hostname}', message))
 
 
 if __name__ == '__main__':

variables.tf

@@ -21,6 +21,12 @@ variable "hostnames" {
   type        = list(string)
 }
 
+variable "health_check_matcher" {
+  description = "The response HTTP codes to use when checking for a healthy responses from a hostnames. e.g.: \"200,201,202-399\"."
+  type        = string
+  default     = "200-399"
+}
+
 # https://nabla-c0d3.github.io/sslyze/documentation/available-scan-commands.html
 variable "scan_commands" {
   description = "List of scan commands types witch will run against hostnames. Any type supported by SSLyze."