Allowed Hosts 403 Your not allowed

(Shaun) #1

I have a NSClient++ Agent that appears to not allow external connections to access resources in the REST API. I’ve at

Performing this locally is working

I also found a workaround for external machines by configuring the nsclient.ini par with /0 allowing all addressing:

allowed hosts = Server-IP/0

The Agent (v05.3.4) is deployed on a Windows 10 Machine sitting on an enterprise network. The requesting client is an external Server, sitting on a sperate subnet. The HTTP request is being accepted, although closing the connection on 403 and outputting “403 Your not allowed”.

See the current nsclient.ini:

If you want to fill this file with all available options run the following command:
nscp settings --generate --add-defaults --load-all
If you want to activate a module and bring in all its options use:
nscp settings --activate-module --add-defaults
For details run: nscp settings --help

; in flight - TODO
[/settings/default]

; Undocumented key
password = icinga

; Undocumented key
allowed hosts = Server-IP, 127.0.0.1

; in flight - TODO
[/modules]

; Undocumented key
CheckExternalScripts = disabled

; Undocumented key
CheckHelpers = disabled

; Undocumented key
CheckEventLog = disabled

; Undocumented key
CheckNSCP = disabled

; Undocumented key
CheckDisk = enabled

; Undocumented key
CheckSystem = enabled

; Undocumented key
WEBServer = enabled

[/settings/WEB/server]

; ALLOWED HOSTS - A commaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.
allowed hosts = Server-IP, 127.0.0.1

; PORT NUMBER - Port to use for WEB server.
port = 8443s

; CERTIFICATE - Ssl certificate to use for the ssl server
certificate = ${certificate-path}/certificate.pem

password: icinga

[/settings/log]

file name = nsclient.log

level = debug

[/settings/WEB/server/roles]

admin = *

See curl output:

$ curl -vv -k -u admin:icinga --max-time 3 -H “Content-type: application/json” https://NSCLIENT:8443/query/check_cpu

  • About to connect() to proxy web-cache port 8080 (#0)

  • Trying proxy web-cache… connected

  • Connected to web-cache (proxy web-cache) port 8080 (#0)

  • Establish HTTP proxy tunnel to NSCLIENT:8443

  • Server auth using Basic with user ‘admin’
    CONNECT NSCLIENT:8443 HTTP/1.1
    Host: NSCLIENT:8443
    User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    Proxy-Connection: Keep-Alive
    Content-type: application/json
    HTTP/1.1 200 Connection established
    Date: Tue, 02 Apr 2019 00:45:27 GMT

  • Proxy replied OK to CONNECT request

  • Initializing NSS with certpath: sql:/etc/pki/nssdb

  • warning: ignoring value of ssl.verifyhost

  • skipping SSL peer certificate verification

  • SSL connection using TLS_RSA_WITH_AES_128_GCM_SHA256

  • Server certificate:

  •   subject: CN=localhost
    
  •   start date: Apr 02 00:45:17 2019 GMT
    
  •   expire date: Apr 01 00:45:17 2020 GMT
    
  •   common name: localhost
    
  •   issuer: CN=localhost
    
  • Server auth using Basic with user ‘admin’
    GET /query/check_cpu HTTP/1.1
    Authorization: Basic —
    User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
    Host: NSCLIENT:8443
    Accept: /
    Content-type: application/json

HTTP/1.1 403
Content-Length: 22

  • Connection #0 to host web-cache left intact
  • Closing connection #0

.