feat(haproxy-status)!: switch HTTP basic auth to URL-embedded credentials

BREAKING CHANGE: --username and --password were removed in favour of
HTTP basic auth embedded in the URL itself, e.g.

    --url=https://stats:s3cret@webserver:8443/server-status

The plugin strips the credentials from the netloc before the request
is sent and instead carries them in an "Authorization: Basic" header,
so they never reach the request line or any proxy access log. Both
flags stay registered in argparse with argparse.SUPPRESS so we can
detect legacy usage and exit UNKNOWN with a clear migration pointer
instead of letting parse_known_args silently swallow them and surface
a confusing 401 from the haproxy stats endpoint.

The base64-and-Authorization-header dance is now delegated to
lib.url.split_basic_auth(), the same helper php-fpm-status already
uses (newly hoisted from a local copy in php-fpm-status into lib.url
in linuxfabrik-lib 3.2.0). Bump the linuxfabrik-lib pin from 3.1.1
to 3.2.0 to pick that helper up.

Existing Icinga services that still pass --username / --password
through service templates need to migrate the URL field to include
the credentials and drop the username/password fields. The Icinga
Director basket needs a regen to drop the now-removed fields.

Two new unit tests cover the legacy-flag UNKNOWN guard.

Author: markuslf

CHANGELOG.md

@@ -16,7 +16,9 @@ Build, CI/CD:
 
 Monitoring Plugins:
 
+* haproxy-status: `--username` and `--password` were removed in favour of HTTP basic auth embedded in the URL itself, e.g. `--url=https://stats:s3cret@webserver:8443/server-status`. The plugin strips the credentials from the netloc before the request is sent and instead carries them in an `Authorization: Basic` header so they never reach the request line or any proxy access log. Existing Icinga services that still pass `--username` / `--password` will hard-UNKNOWN with a clear migration pointer; migrate the URL field to include the credentials and drop the username/password fields from the service template
 * mailq: the alerting semantic has flipped from "number of mails in the queue" to "age of the oldest mail in the queue". `--warning` and `--critical` now take a duration string with a unit suffix (`1h`, `3D`, `30m`, `72h`, ...) and the defaults are `1h` / `3D` (down from `2` / `250` mails). The rationale is that a queue with 100 fresh mails is still OK when they are delivered within minutes, while a single mail stuck for more than an hour is always interesting and is exactly when an admin wants to look. The mail count stays in perfdata (`mailq`) so Grafana trending keeps working, and the new `oldest_mail_age` perfdata metric carries the age in seconds. Existing Icinga services that set `mailq_warning=10` and `mailq_critical=500` need to be migrated to duration strings (e.g. `mailq_warning=1h`, `mailq_critical=3D`). Also adds `--mta=auto|postfix|exim|sendmail` to override MTA autodetection: Postfix is now read via `postqueue -j` (JSON with `arrival_time` as Unix epoch) for a rock-solid timestamp, Exim still uses `mailq` (= `exim -bp`) and its built-in age literals, and everything else falls back to `mailq` with `Date:` line parsing ([#781](https://github.com/Linuxfabrik/monitoring-plugins/issues/781))
+* php-fpm-status: multi-pool support plus full rework of the alerting and perfdata semantics. `--url` can now be specified multiple times to check several pools on the same host in a single plugin run; the overall state is the worst of all pools, and the summary line calls out which pool is in trouble. Basic authentication can be embedded in the URL as `http://user:password@host/pool-status`, with the credentials stripped from the request URL and sent via an `Authorization` header. All perfdata labels are now prefixed with the pool name (for example `nextcloud saturation` instead of `saturation`), including in the single-pool case, so existing Grafana panels and InfluxDB queries need to be updated; the bundled Grafana dashboard has been rewritten to use a `$pool` template variable that lets the admin switch between pools. The wrongly-named `queue usage` metric has been renamed to `saturation` and now correctly reports the percentage of busy worker processes (`active_processes / total_processes`) instead of the socket backlog fill rate, which was never "pool near capacity". The cumulative counters `accepted conn` and `slow requests` have been replaced by the computed `accepted conn rate` (requests per second since the previous run) and `slow requests delta` (new slow requests since the previous run), which follow the "no continuous counters" rule in CONTRIBUTING and make the `--warning-slowreq` / `--critical-slowreq` thresholds actually actionable again (previously they alerted permanently after the first historical slow request, until the next FPM restart). The `max children reached` metric and its implicit WARN have been removed and will return with delta-based semantics in a later release. A new `--severity warn|crit` parameter controls the state reported for pools that are unreachable or whose status JSON cannot be parsed; the default is `warn`. The `--lengthy` flag now correctly defaults to off (matching the project convention) and adds extended columns to both the pool overview table and the per-process table. The plugin uses a local SQLite cache (`linuxfabrik-monitoring-plugins-php-fpm-status.db`) to compute deltas between runs; the first run after install, and the first run after an FPM restart, report OK for the delta metrics with a `baseline captured, waiting for more data` note while the saturation metric is alerted normally. Unit tests now run against real PHP-FPM status JSON captured from four container platforms (UBI8 + PHP 7.2, UBI9 + PHP 8.0, Debian 12 + PHP 8.2, Ubuntu 24.04 + PHP 8.3)
 * procs: `--argument`, `--command` and `--username` now use regular expressions instead of substring/startswith matching. Existing filters like `--command=httpd` still work but now match anywhere in the name. Use `--command='^httpd'` for the previous startswith behavior, or `--username='^apache$'` for exact matches.
 
 
@@ -71,7 +73,7 @@ Assets:
 
 Build, CI/CD:
 
-* Bump pinned `linuxfabrik-lib` dependency from 3.0.0 to 3.1.1, picking up the new `run_mariadb()` / `MARIADB_LTS_IMAGES` container-test helpers, the `attach_each()` / `attach_tests()` unit-test helpers, the `disk.dir_exists()` directory check, and `human2seconds()` / `humanduration2seconds()` accepting the lowercase `d` / `w` day/week markers (which the mailq plugin needs to parse exim age literals)
+* Bump pinned `linuxfabrik-lib` dependency from 3.0.0 to 3.2.0, picking up the new `run_mariadb()` / `MARIADB_LTS_IMAGES` container-test helpers, the `attach_each()` / `attach_tests()` unit-test helpers, the `disk.dir_exists()` directory check, `human2seconds()` / `humanduration2seconds()` accepting the lowercase `d` / `w` day/week markers (which the mailq plugin needs to parse exim age literals), and the new `url.split_basic_auth(url)` helper that lets monitoring plugins accept HTTP basic auth via the URL itself instead of through separate `--username` / `--password` arguments (used by `php-fpm-status` and now `haproxy-status`)
 * Windows MSI still installs all plugins to ProgramFiles64Folder/ICINGA2/sbin/linuxfabrik, but does not depend on an Icinga2 agent any longer
 
 

check-plugins/haproxy-status/README.md

@@ -56,49 +56,51 @@ Monitors HAProxy performance and health via the stats endpoint. Reports frontend
 
 ```text
 usage: haproxy-status [-h] [-V] [--always-ok] [-c CRIT] [--ignore IGNORE]
-                      [--insecure] [--lengthy] [--no-proxy] [-p PASSWORD]
-                      [--test TEST] [--timeout TIMEOUT] [-u URL]
-                      [--username USERNAME] [-w WARN]
+                      [--insecure] [--lengthy] [--no-proxy] [--test TEST]
+                      [--timeout TIMEOUT] [-u URL] [-w WARN]
 
 Monitors HAProxy performance and health via the stats endpoint. Reports
 frontend and backend session usage, request rates, response times, error
 rates, and server states. Alerts when session usage exceeds the configured
 thresholds. Proxies, frontends, backends or individual servers can be filtered
 out with --ignore (e.g. an on-demand certbot backend that is only UP during
-cert renewal). Supports extended reporting via --lengthy.
+cert renewal). HTTP basic auth is supplied through the URL itself
+(`https://user:secret@host/server-status`); the credentials are stripped from
+the URL before the request is sent and instead carried in an `Authorization:
+Basic` header so they never reach the request line or any proxy access log.
+Supports extended reporting via --lengthy.
 
 options:
-  -h, --help            show this help message and exit
-  -V, --version         show program's version number and exit
-  --always-ok           Always returns OK.
-  -c, --critical CRIT   CRIT threshold in percent. Default: >= 95
-  --ignore IGNORE       Ignore proxies, frontends, backends or servers
-                        matching this Python regular expression on the
-                        combined `<proxy>/<svname>` identifier (where `svname`
-                        is `FRONTEND`, `BACKEND` or an individual server
-                        name). Case-sensitive by default; use `(?i)` for case-
-                        insensitive matching. Can be specified multiple times.
-                        Example: `--ignore="^certbot/"` to ignore everything
-                        under the certbot proxy. Example:
-                        `--ignore="(?i)^certbot/"` for a case-insensitive
-                        match. Default: None
-  --insecure            This option explicitly allows insecure SSL
-                        connections.
-  --lengthy             Extended reporting.
-  --no-proxy            Do not use a proxy.
-  -p, --password PASSWORD
-                        HAProxy stats auth password. Not needed for socket
-                        access.
-  --test TEST           For unit tests. Needs "path-to-stdout-file,path-to-
-                        stderr-file,expected-retc".
-  --timeout TIMEOUT     Network timeout in seconds. Default: 3 (seconds)
-  -u, --url URL         HAProxy stats URI. Accepts
-                        `unix:///path/to/haproxy.sock` or an HTTP(S) URL.
-                        Example: `--url https://webserver:8443/server-status`.
-                        Default: unix:///run/haproxy.sock
-  --username USERNAME   HAProxy stats auth username. Not needed for socket
-                        access. Default: haproxy-stats
-  -w, --warning WARN    WARN threshold in percent. Default: >= 80
+  -h, --help           show this help message and exit
+  -V, --version        show program's version number and exit
+  --always-ok          Always returns OK.
+  -c, --critical CRIT  CRIT threshold in percent. Default: >= 95
+  --ignore IGNORE      Ignore proxies, frontends, backends or servers matching
+                       this Python regular expression on the combined
+                       `<proxy>/<svname>` identifier (where `svname` is
+                       `FRONTEND`, `BACKEND` or an individual server name).
+                       Case-sensitive by default; use `(?i)` for case-
+                       insensitive matching. Can be specified multiple times.
+                       Example: `--ignore="^certbot/"` to ignore everything
+                       under the certbot proxy. Example:
+                       `--ignore="(?i)^certbot/"` for a case-insensitive
+                       match. Default: None
+  --insecure           This option explicitly allows insecure SSL connections.
+  --lengthy            Extended reporting.
+  --no-proxy           Do not use a proxy.
+  --test TEST          For unit tests. Needs "path-to-stdout-file,path-to-
+                       stderr-file,expected-retc".
+  --timeout TIMEOUT    Network timeout in seconds. Default: 3 (seconds)
+  -u, --url URL        HAProxy stats URI. Accepts
+                       `unix:///path/to/haproxy.sock` or an HTTP(S) URL. For
+                       HTTP basic auth, embed the credentials in the URL
+                       itself; the plugin strips them from the netloc before
+                       the request is sent and carries them in an
+                       `Authorization: Basic` header. Example: `--url
+                       https://webserver:8443/server-status`. Example: `--url
+                       https://stats:s3cret@webserver:8443/server-status`.
+                       Default: unix:///run/haproxy.sock
+  -w, --warning WARN   WARN threshold in percent. Default: >= 80
 ```
 
 

check-plugins/haproxy-status/haproxy-status

@@ -11,7 +11,6 @@
 """See the check's README for more details."""
 
 import argparse
-import base64
 import re
 import sys
 
@@ -25,21 +24,24 @@ import lib.url
 from lib.globals import STATE_OK, STATE_UNKNOWN, STATE_WARN
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2026041403'
+__version__ = '2026041407'
 
 DESCRIPTION = """Monitors HAProxy performance and health via the stats endpoint. Reports
 frontend and backend session usage, request rates, response times, error rates, and server
 states. Alerts when session usage exceeds the configured thresholds. Proxies, frontends,
 backends or individual servers can be filtered out with --ignore (e.g. an on-demand certbot
-backend that is only UP during cert renewal). Supports extended reporting via --lengthy."""
+backend that is only UP during cert renewal). HTTP basic auth is supplied through the URL
+itself (`https://user:secret@host/server-status`); the credentials are stripped from the
+URL before the request is sent and instead carried in an `Authorization: Basic` header so
+they never reach the request line or any proxy access log. Supports extended reporting
+via --lengthy."""
 
 DEFAULT_CRIT = 95  # %
 DEFAULT_INSECURE = False
 DEFAULT_LENGTHY = False
 DEFAULT_NO_PROXY = False
 DEFAULT_TIMEOUT = 3
 DEFAULT_URL = 'unix:///run/haproxy.sock'
-DEFAULT_USERNAME = 'haproxy-stats'
 DEFAULT_WARN = 80  # %
 
 GOOD_STATUSES = {'OPEN', 'UP', 'no check'}
@@ -113,10 +115,17 @@ def parse_args():
         default=DEFAULT_NO_PROXY,
     )
 
+    # `--password` and `--username` were removed in favour of HTTP basic
+    # auth embedded in the URL itself (e.g. `https://user:secret@host/`).
+    # The flags stay registered (with argparse.SUPPRESS so they do not
+    # show up in --help) so we can detect legacy usage in main() and
+    # exit UNKNOWN with a clear migration pointer; otherwise
+    # parser.parse_known_args() would silently swallow them and the
+    # plugin would run without credentials, surfacing as a 401.
     parser.add_argument(
         '-p',
         '--password',
-        help='HAProxy stats auth password. Not needed for socket access.',
+        help=argparse.SUPPRESS,
         dest='PASSWORD',
     )
 
@@ -140,19 +149,21 @@ def parse_args():
         '--url',
         help='HAProxy stats URI. '
         'Accepts `unix:///path/to/haproxy.sock` or an HTTP(S) URL. '
+        'For HTTP basic auth, embed the credentials in the URL itself; '
+        'the plugin strips them from the netloc before the request is '
+        'sent and carries them in an `Authorization: Basic` header. '
         'Example: `--url https://webserver:8443/server-status`. '
+        'Example: `--url https://stats:s3cret@webserver:8443/server-status`. '
         'Default: %(default)s',
         dest='URL',
         default=DEFAULT_URL,
     )
 
+    # See the comment on --password above.
     parser.add_argument(
         '--username',
-        help='HAProxy stats auth username. '
-        'Not needed for socket access. '
-        'Default: %(default)s',
+        help=argparse.SUPPRESS,
         dest='USERNAME',
-        default=DEFAULT_USERNAME,
     )
 
     parser.add_argument(
@@ -177,6 +188,21 @@ def main():
     except SystemExit:
         sys.exit(STATE_UNKNOWN)
 
+    # `--username` and `--password` were removed in favour of HTTP
+    # basic auth embedded in the URL itself. They are still
+    # registered (with argparse.SUPPRESS) so we can hard-UNKNOWN
+    # here with a clear migration pointer instead of letting
+    # parse_known_args silently swallow them and surface a 401 from
+    # the haproxy stats endpoint.
+    if args.USERNAME is not None or args.PASSWORD is not None:
+        lib.base.cu(
+            '--username and --password were removed. Embed the HTTP '
+            'basic auth credentials in the URL itself, e.g. '
+            '`--url=https://user:secret@host:8443/server-status`. The '
+            'plugin strips them from the netloc before the request is '
+            'sent and carries them in an Authorization: Basic header.'
+        )
+
     if args.IGNORE is None:
         args.IGNORE = []
 
@@ -199,15 +225,17 @@ def main():
             )
 
         if url.startswith('http'):
-            url += ';csv'
-            headers = {}
-            if args.USERNAME and args.PASSWORD:
-                auth = f'{args.USERNAME}:{args.PASSWORD}'
-                encoded_auth = lib.txt.to_text(base64.b64encode(lib.txt.to_bytes(auth)))
-                headers = {'Authorization': f'Basic {encoded_auth}'}
+            # Move any `user:secret@` userinfo from the URL into an
+            # Authorization: Basic header so the credentials never reach
+            # the request line or any proxy access log. Append the
+            # `;csv` query that the haproxy stats endpoint expects to
+            # the stripped URL afterwards so the userinfo split stays
+            # confined to lib.url.split_basic_auth().
+            stripped_url, headers = lib.url.split_basic_auth(url)
+            stripped_url += ';csv'
             result = lib.base.coe(
                 lib.url.fetch(
-                    url,
+                    stripped_url,
                     header=headers,
                     insecure=args.INSECURE,
                     no_proxy=args.NO_PROXY,

check-plugins/haproxy-status/unit-test/run

@@ -144,6 +144,32 @@ TESTS = [
         'assert-retc': STATE_UNKNOWN,
         'assert-in': ['Invalid regular expression'],
     },
+
+    # --username and --password were removed in favour of HTTP basic
+    # auth embedded in the URL itself. The flags stay registered with
+    # argparse.SUPPRESS so we can hard-UNKNOWN here with a clear
+    # migration pointer instead of letting parse_known_args silently
+    # swallow them and surface a 401 from the haproxy stats endpoint.
+    {
+        'id': 'unknown-legacy-username',
+        'test': 'stdout/all-backends-up,,0',
+        'params': '--username=stats',
+        'assert-retc': STATE_UNKNOWN,
+        'assert-in': [
+            '--username and --password were removed.',
+            'https://user:secret@host',
+        ],
+    },
+    {
+        'id': 'unknown-legacy-password',
+        'test': 'stdout/all-backends-up,,0',
+        'params': '--password=secret',
+        'assert-retc': STATE_UNKNOWN,
+        'assert-in': [
+            '--username and --password were removed.',
+            'https://user:secret@host',
+        ],
+    },
 ]
 
 

requirements.txt

@@ -273,9 +273,9 @@ keystoneauth1==5.11.1 \
     # via
     #   python-keystoneclient
     #   python-novaclient
-linuxfabrik-lib==3.1.1 \
-    --hash=sha256:b37049393fa5c21114e8dc001b00d4ec063b4c96564fb3c02f98dd474b0b2831 \
-    --hash=sha256:b935629e6090b6d258d6ac47ed5144127f2380a19d1d518cfb799e727b7c4c90
+linuxfabrik-lib==3.2.0 \
+    --hash=sha256:3e828c866cfd244f72a208d57dacab6af697c4e7f249a3ef65dd4fe3e0298215 \
+    --hash=sha256:8597164cf5ba08cfac9e6c92d4de525c8a1d3f9b5605e071b07d8da434726253
     # via -r requirements.in
 lxml==6.0.4 \
     --hash=sha256:0132bb040e9bb5a199302e12bf942741defbc52922a2a06ce9ff7be0d0046483 \

tox.ini

@@ -16,7 +16,7 @@ deps =
     # that use them only work through the sys.path.insert(0, '..')
     # shadow and break on any CI runner that does not have the lib
     # repo checked out side-by-side.
-    linuxfabrik-lib>=3.1.1
+    linuxfabrik-lib>=3.2.0
     lxml
     psutil
     python-keystoneclient