feat(haproxy-status): add --ignore regex parameter for proxies, frontends, backends and servers

markuslf · markuslf · commit 89c2e4d7561b · 2026-04-14T10:36:35.000+02:00
Filters rows out of the HAProxy stats output by matching a Python regular expression against the combined `<proxy>/<svname>` identifier. The canonical use case is an on-demand certbot backend that is only UP during cert renewal and would otherwise flood the check with DOWN alerts. The regex is case-sensitive by default, matching the lib.args --match / --ignore-regex convention; admins can opt into case-insensitive matching with the inline `(?i)` flag. Can be specified multiple times so individual patterns stay self-contained both on the command line and in the Icinga Director basket (where the parameter is exposed as a DataTypeArray). Closes #835
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -35,6 +35,7 @@ Monitoring Plugins:
 * by-winrm: executes commands on remote Windows hosts by WinRM, supporting JEA (including the JEA endpoint via `--winrm-configuration-name`)
 * infomaniak-swiss-backup-devices: add `--ignore-customer`, `--ignore-name`, `--ignore-tag`, `--ignore-user` parameters to skip devices by regex
 * infomaniak-swiss-backup-products: add `--ignore-customer`, `--ignore-tag` parameters to skip products by regex
+* haproxy-status: add `--ignore` parameter to filter out proxies, frontends, backends or servers by regex on the combined `<proxy>/<svname>` identifier, e.g. to skip an on-demand certbot backend that is only UP during cert renewal ([#835](https://github.com/Linuxfabrik/monitoring-plugins/issues/835))
 * ipmi-sel: add `--ignore` parameter to filter out SEL entries by regex, e.g. auto-generated "Log area reset/cleared" entries after `ipmitool sel clear` ([#982](https://github.com/Linuxfabrik/monitoring-plugins/issues/982))
 * json-values: add `--token` and `--header` parameters for HTTP bearer-token and custom header authentication when fetching JSON from protected endpoints, add `--warning-key` / `--warning` and `--critical-key` / `--critical` to alert on a numeric value at a specific JSON key (with Nagios range syntax), and support dot-notation for nested keys in all `--*-key` parameters (e.g. `--state-key=meta.state`) ([#1005](https://github.com/Linuxfabrik/monitoring-plugins/issues/1005))
 * librenms-alerts: add device-type `management`
diff --git a/check-plugins/haproxy-status/README.md b/check-plugins/haproxy-status/README.md
@@ -55,21 +55,33 @@ Monitors HAProxy performance and health via the stats endpoint. Reports frontend
 ## Help
 
 ```text
-usage: haproxy-status [-h] [-V] [--always-ok] [-c CRIT] [--insecure]
-                      [--lengthy] [--no-proxy] [-p PASSWORD] [--test TEST]
-                      [--timeout TIMEOUT] [-u URL] [--username USERNAME]
-                      [-w WARN]
+usage: haproxy-status [-h] [-V] [--always-ok] [-c CRIT] [--ignore IGNORE]
+                      [--insecure] [--lengthy] [--no-proxy] [-p PASSWORD]
+                      [--test TEST] [--timeout TIMEOUT] [-u URL]
+                      [--username USERNAME] [-w WARN]
 
 Monitors HAProxy performance and health via the stats endpoint. Reports
 frontend and backend session usage, request rates, response times, error
 rates, and server states. Alerts when session usage exceeds the configured
-thresholds. Supports extended reporting via --lengthy.
+thresholds. Proxies, frontends, backends or individual servers can be filtered
+out with --ignore (e.g. an on-demand certbot backend that is only UP during
+cert renewal). Supports extended reporting via --lengthy.
 
 options:
   -h, --help            show this help message and exit
   -V, --version         show program's version number and exit
   --always-ok           Always returns OK.
   -c, --critical CRIT   CRIT threshold in percent. Default: >= 95
+  --ignore IGNORE       Ignore proxies, frontends, backends or servers
+                        matching this Python regular expression on the
+                        combined `<proxy>/<svname>` identifier (where `svname`
+                        is `FRONTEND`, `BACKEND` or an individual server
+                        name). Case-sensitive by default; use `(?i)` for case-
+                        insensitive matching. Can be specified multiple times.
+                        Example: `--ignore="^certbot/"` to ignore everything
+                        under the certbot proxy. Example:
+                        `--ignore="(?i)^certbot/"` for a case-insensitive
+                        match. Default: None
   --insecure            This option explicitly allows insecure SSL
                         connections.
   --lengthy             Extended reporting.
diff --git a/check-plugins/haproxy-status/haproxy-status b/check-plugins/haproxy-status/haproxy-status
@@ -12,6 +12,7 @@
 
 import argparse
 import base64
+import re
 import sys
 
 import lib.args
@@ -24,9 +25,13 @@ import lib.url
 from lib.globals import STATE_OK, STATE_UNKNOWN, STATE_WARN
 
 __author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
-__version__ = '2026041001'
+__version__ = '2026041403'
 
-DESCRIPTION = """Monitors HAProxy performance and health via the stats endpoint. Reports frontend and backend session usage, request rates, response times, error rates, and server states. Alerts when session usage exceeds the configured thresholds. Supports extended reporting via --lengthy."""
+DESCRIPTION = """Monitors HAProxy performance and health via the stats endpoint. Reports
+frontend and backend session usage, request rates, response times, error rates, and server
+states. Alerts when session usage exceeds the configured thresholds. Proxies, frontends,
+backends or individual servers can be filtered out with --ignore (e.g. an on-demand certbot
+backend that is only UP during cert renewal). Supports extended reporting via --lengthy."""
 
 DEFAULT_CRIT = 95  # %
 DEFAULT_INSECURE = False
@@ -68,6 +73,22 @@ def parse_args():
         default=DEFAULT_CRIT,
     )
 
+    parser.add_argument(
+        '--ignore',
+        help='Ignore proxies, frontends, backends or servers matching this '
+        'Python regular expression on the combined `<proxy>/<svname>` '
+        'identifier (where `svname` is `FRONTEND`, `BACKEND` or an individual '
+        'server name). Case-sensitive by default; use `(?i)` for '
+        'case-insensitive matching. '
+        'Can be specified multiple times. '
+        'Example: `--ignore="^certbot/"` to ignore everything under the certbot proxy. '
+        'Example: `--ignore="(?i)^certbot/"` for a case-insensitive match. '
+        'Default: %(default)s',
+        dest='IGNORE',
+        action='append',
+        default=None,
+    )
+
     parser.add_argument(
         '--insecure',
         help=lib.args.help('--insecure'),
@@ -156,6 +177,17 @@ def main():
     except SystemExit:
         sys.exit(STATE_UNKNOWN)
 
+    if args.IGNORE is None:
+        args.IGNORE = []
+
+    # compile ignore patterns (case-sensitive by default, matching the
+    # lib.args convention for --match / --ignore-regex; the user can
+    # opt into case-insensitive matching with the inline `(?i)` flag).
+    try:
+        ignore_patterns = [re.compile(p) for p in args.IGNORE]
+    except re.error as e:
+        lib.base.cu(f'Invalid regular expression: {e}')
+
     # fetch data
     result = ''
     if args.TEST is None:
@@ -272,6 +304,14 @@ def main():
         except (ValueError, IndexError):
             lib.base.cu('Malformed HAProxy status info.')
 
+        # Skip rows matched by --ignore. The combined `<pxname>/<svname>`
+        # identifier is unique per row and lets the user target a whole
+        # proxy (`^certbot/`), every backend aggregate (`/BACKEND$`) or
+        # a specific server in a specific proxy (`^web/server-02$`).
+        ignore_key = f'{ha_pxname}/{ha_svname}'
+        if any(pattern.search(ignore_key) for pattern in ignore_patterns):
+            continue
+
         # Status check
         status_state = STATE_OK
         if ha_status not in GOOD_STATUSES:
diff --git a/check-plugins/haproxy-status/icingaweb2-module-director/haproxy-status.json b/check-plugins/haproxy-status/icingaweb2-module-director/haproxy-status.json
@@ -8,6 +8,10 @@
                 "--critical": {
                     "value": "$haproxy_status_critical$"
                 },
+                "--ignore": {
+                    "value": "$haproxy_status_ignore$",
+                    "repeat_key": true
+                },
                 "--insecure": {
                     "set_if": "$haproxy_status_insecure$"
                 },
@@ -85,6 +89,11 @@
                     "datafield_id": 10,
                     "is_required": "n",
                     "var_filter": null
+                },
+                {
+                    "datafield_id": 11,
+                    "is_required": "n",
+                    "var_filter": null
                 }
             ],
             "imports": [],
@@ -141,6 +150,7 @@
                 "criticality": "C",
                 "haproxy_status_always_ok": false,
                 "haproxy_status_critical": 95,
+                "haproxy_status_ignore": [],
                 "haproxy_status_insecure": false,
                 "haproxy_status_lengthy": false,
                 "haproxy_status_no_proxy": false,
@@ -256,6 +266,17 @@
                 "visibility": "visible"
             },
             "uuid": "56b69da6-81a7-43cc-b0bb-43670f84f4dd"
+        },
+        "11": {
+            "varname": "haproxy_status_ignore",
+            "caption": "HAProxy Status: Ignore",
+            "description": "Ignore proxies, frontends, backends or servers matching this Python regular expression (case-insensitive) on the combined `<proxy>/<svname>` identifier. Can be specified multiple times.",
+            "datatype": "Icinga\\Module\\Director\\DataType\\DataTypeArray",
+            "format": null,
+            "settings": {
+                "visibility": "visible"
+            },
+            "uuid": "2392ebdf-b033-47a1-9dcc-ae94f72db5a4"
         }
     }
 }
diff --git a/check-plugins/haproxy-status/unit-test/run b/check-plugins/haproxy-status/unit-test/run
@@ -91,6 +91,59 @@ TESTS = [
             'Proxy name',
         ],
     },
+
+    # #835: without --ignore, an on-demand certbot backend in MAINT/DOWN
+    # produces a WARN; --ignore='^certbot/' filters the whole proxy and
+    # the check comes back OK while still reporting the rest of the
+    # HAProxy topology. The regex is case-sensitive by default (matching
+    # the lib.args --match / --ignore-regex convention), so
+    # --ignore='^CERTBOT/' does NOT match; the user opts into
+    # case-insensitive matching with the inline `(?i)` flag.
+    {
+        'id': 'warn-certbot-backend-down',
+        'test': 'stdout/certbot-backend-down,,0',
+        'assert-retc': STATE_WARN,
+        'assert-in': [
+            'certbot certbot_challenge: MAINT',
+            'certbot BACKEND: DOWN',
+        ],
+    },
+    {
+        'id': 'ok-certbot-ignored',
+        'test': 'stdout/certbot-backend-down,,0',
+        'params': "--ignore='^certbot/'",
+        'assert-retc': STATE_OK,
+        'assert-in': ['Everything is ok.', 'web', 'FRONTEND'],
+        'assert-not-in': ['certbot'],
+    },
+    {
+        'id': 'warn-certbot-default-case-sensitive',
+        'test': 'stdout/certbot-backend-down,,0',
+        # Uppercase pattern must NOT match lowercase certbot: the regex
+        # default is case-sensitive, so this ignore is a no-op and the
+        # certbot proxy still triggers a WARN.
+        'params': "--ignore='^CERTBOT/'",
+        'assert-retc': STATE_WARN,
+        'assert-in': ['certbot BACKEND: DOWN'],
+    },
+    {
+        'id': 'ok-certbot-ignored-case-insensitive-opt-in',
+        'test': 'stdout/certbot-backend-down,,0',
+        # Opt into case-insensitive matching with the inline `(?i)`
+        # flag, which is the lib.args convention for --match /
+        # --ignore-regex parameters.
+        'params': "--ignore='(?i)^certbot/'",
+        'assert-retc': STATE_OK,
+        'assert-in': ['Everything is ok.'],
+        'assert-not-in': ['certbot certbot_challenge: MAINT'],
+    },
+    {
+        'id': 'unknown-ignore-invalid-regex',
+        'test': 'stdout/certbot-backend-down,,0',
+        'params': "--ignore='('",
+        'assert-retc': STATE_UNKNOWN,
+        'assert-in': ['Invalid regular expression'],
+    },
 ]
 
 
diff --git a/check-plugins/haproxy-status/unit-test/stdout/certbot-backend-down b/check-plugins/haproxy-status/unit-test/stdout/certbot-backend-down
@@ -0,0 +1,6 @@
+# pxname,svname,qcur,qmax,scur,smax,slim,stot,bin,bout,dreq,dresp,ereq,econ,eresp,wretr,wredis,status,weight,act,bck,chkfail,chkdown,lastchg,downtime,qlimit,pid,iid,sid,throttle,lbtot,tracked,type,rate,rate_lim,rate_max,check_status,check_code,check_duration,hrsp_1xx,hrsp_2xx,hrsp_3xx,hrsp_4xx,hrsp_5xx,hrsp_other,hanafail,req_rate,req_rate_max,req_tot,cli_abrt,srv_abrt,comp_in,comp_out,comp_byp,comp_rsp,lastsess,last_chk,last_agt,qtime,ctime,rtime,ttime,
+web,FRONTEND,,,12,50,3000,4321,1234567,7654321,0,0,0,,,,,OPEN,,,,,,,,,1,1,0,,,,0,0,0,10,,,,0,4000,0,0,0,0,,1,20,4321,,,0,0,0,0,,,,,,,,
+web,srv01,0,0,0,1,,4321,1234567,7654321,,0,,0,0,0,0,UP,1,1,0,0,0,100,0,,1,1,1,,4321,,2,0,,10,L4OK,,0,0,4000,0,0,0,0,0,,,,0,0,,,,,10,,,0,1,5,50,
+web,BACKEND,0,0,0,1,300,4321,1234567,7654321,0,0,,0,0,0,0,UP,1,1,0,,0,100,0,,1,1,0,,4321,,1,0,,10,,,,0,4000,0,0,0,0,,,,,0,0,0,0,0,0,10,,,0,1,5,50,
+certbot,certbot_challenge,0,0,0,0,,0,0,0,,0,,0,0,0,0,MAINT,1,1,0,0,1,100,1,,1,2,1,,0,,2,0,,0,L4OK,,1,,,,,,,,,,0,0,,,,,-1,,,0,0,0,0,
+certbot,BACKEND,0,0,0,0,300,0,0,0,0,0,,0,0,0,0,DOWN,1,1,0,,1,100,1,,1,2,0,,0,,1,0,,0,,,,,,,,,,,,,,0,0,0,0,0,0,-1,,,0,0,0,0,
