FTMON Exchange

web · nagios

HTTPS availability and response time

Check a public HTTPS endpoint and retain connection and latency trends.

Why

check_http provides a mature HTTPS probe without making HTTP client behavior part of FTMON itself. FTMON adds the part a one-shot plugin cannot: confirmed incidents and local history for response, connection, TLS and first-byte time. That history helps distinguish a dead endpoint from a service that is still up but becoming progressively slower.

This recipe checks https://demo.ftmon.org/. Copy it and change both the registry hostname and monitor entity when protecting another endpoint.

Install

On Ubuntu 24.04, install the distribution package rather than copying the plugin into FTMON:

sudo apt update
sudo apt install monitoring-plugins

The executable used by this recipe is /usr/lib/nagios/plugins/check_http. Upstream documentation is at https://www.monitoring-plugins.org/doc/man/check_http.html.

Configure

Merge the [check.demo_ftmon_https] table from checks.toml.example into the administrator-owned check registry, then copy monitor.toml into the active monitor directory and set enabled = true.

The exact argument list uses --sni because name-based HTTPS servers can reject a handshake when the client omits the TLS server name. -E asks the plugin for phase-level performance data. The plugin warns after one second, becomes critical after three seconds and has its own eight-second timeout; FTMON's nine-second outer timeout exists to bound failures while normally allowing the plugin to report its own diagnosis.

The definition deliberately maps only time, time_connect, time_ssl, time_firstbyte and size. These observed labels have stable units in the verified output and answer useful operational questions. The response-time metric also feeds a two-hour growth Trend so gradual degradation is visible even before the plugin's absolute warning threshold is crossed.

Certificate-expiry checking is intentionally not combined with this recipe. With Monitoring Plugins 2.3.5, -C --continue-after-certificate prints the certificate result on one line and HTTP perfdata on the next. FTMON accepts only first-line Nagios output, so combining them would silently discard the timing metrics. Use a separate certificate check alias when expiry state is required.

Test

Run the exact command as the same unprivileged account that runs FTMON:

/usr/lib/nagios/plugins/check_http \
  -H demo.ftmon.org -S --sni -E -w 1 -c 3 -t 8
echo "$?"

Exit states are 0 OK, 1 warning, 2 critical and 3 unknown. The fixture suite checks representative OK, critical and unknown output offline; it does not make demo.ftmon.org availability a CI dependency.

Validate the installed configuration with:

ftmon check
ftmon doctor

Security and permissions

This check requires no elevated privileges. It makes an outbound HTTPS request and therefore discloses the source host's address and the requested hostname to the endpoint and normal network intermediaries. Do not put credentials in the argument list; use a separately protected mechanism supported by the plugin if an authenticated endpoint must be checked.

Upstream and licence

The plugin comes from the Monitoring Plugins project and is distributed under GPL-3.0-or-later with OpenSSL exception. FTMON does not redistribute it.

This recipe was exercised against demo.ftmon.org on 2026-07-12 using Monitoring Plugins 2.3.5 from Ubuntu package monitoring-plugins 2.3.5-1ubuntu3.

Registry example

[check.demo_ftmon_https]
# SNI is explicit because name-based TLS hosts can reject a handshake without it.
# Extended perfdata exposes phase timings so FTMON can retain useful history.
argv = [
  "/usr/lib/nagios/plugins/check_http",
  "-H", "demo.ftmon.org",
  "-S", "--sni", "-E",
  "-w", "1", "-c", "3", "-t", "8",
]
protocol = "nagios"
# Keep FTMON's deadline just beyond the plugin's own timeout so check_http can
# return its diagnostic before the outer process-group deadline intervenes.
timeout = "9s"

Monitor definition

schema = 1

[monitor]
name = "demo_ftmon_https"
description = "HTTPS availability and response-time history for demo.ftmon.org"
version = 1
enabled = false
platforms = ["linux"]
interval = "60s"
source = "external"

[source_options]
check = "demo_ftmon_https"
entity = "https://demo.ftmon.org/"

[[source_options.perfdata]]
label = "time"
metric = "response_time_s"
plugin_uom = "s"
unit = "seconds"
kind = "gauge"

[[source_options.perfdata]]
label = "time_connect"
metric = "connect_time_s"
plugin_uom = "s"
unit = "seconds"
kind = "gauge"

[[source_options.perfdata]]
label = "time_ssl"
metric = "tls_time_s"
plugin_uom = "s"
unit = "seconds"
kind = "gauge"

[[source_options.perfdata]]
label = "time_firstbyte"
metric = "first_byte_time_s"
plugin_uom = "s"
unit = "seconds"
kind = "gauge"

[[source_options.perfdata]]
label = "size"
metric = "response_size_bytes"
plugin_uom = "B"
unit = "bytes"
kind = "gauge"

[parameters]
latency_growth_sph = { value = 0.25, doc = "Response-time growth per hour before warning" }
growth_confidence_min = { value = 0.8, doc = "Required fraction of rising response-time samples" }

[[derived]]
name = "response_time_rate_sph"
expr = 'slope(response_time_s, "2h") * 3600'

[[derived]]
name = "response_time_growth_confidence"
expr = 'monot(response_time_s, "2h")'

[[rule]]
id = "plugin-warning"
group = "availability"
when = "plugin_state == 1"
severity = "warning"
confirm_cycles = 2
message = "{plugin_message}"

[[rule]]
id = "plugin-critical"
group = "availability"
when = "plugin_state == 2"
severity = "critical"
confirm_cycles = 2
message = "{plugin_message}"

[[rule]]
id = "plugin-unknown"
group = "check-health"
when = "plugin_state == 3"
severity = "warning"
confirm_cycles = 2
message = "HTTPS check is unknown: {plugin_message}"

[[rule]]
id = "latency-degrading"
group = "latency-growth"
when = "response_time_rate_sph > latency_growth_sph and response_time_growth_confidence >= growth_confidence_min"
severity = "warning"
confirm_cycles = 3
message = "HTTPS response time is steadily increasing"

[[trend]]
id = "response-time"
kind = "growth"
title = "HTTPS response-time trend"
value_metric = "response_time_s"
value_unit = "seconds"
rate_metric = "response_time_rate_sph"
rate_unit = "seconds/hour"
confidence_metric = "response_time_growth_confidence"
confidence_threshold_param = "growth_confidence_min"
rate_threshold_params = ["latency_growth_sph"]