Allowed Host 403 Your not allowed


#1

I have an Agent that appears to not allow external connections to access resources in the REST API, although I did find a workaround for the allowed host Config that allow all addressing by configuring the nsclient.ini par with /0 allowing all addressing (this is not ideal obviously)

Note request made locally on the machine are allowed

allowed hosts = Server-IP/0

The Agent (v05.3.4) is deployed on a Windows 10 Machine sitting on an enterprise network. The requesting client is an external Server, sitting on a separate subnet. The HTTP request is being accepted, although closing the connection on 403 and outputting “403 Your not allowed”.

See the current nsclient.ini:

If you want to fill this file with all available options run the following command: nscp settings --generate --add-defaults --load-all If you want to activate a module and bring in all its options use: nscp settings --activate-module --add-defaults For details run: nscp settings --help

; in flight - TODO [/settings/default]

; Undocumented key

password = icinga

; Undocumented key

allowed hosts = Server-IP, 127.0.0.1

; in flight - TODO

[/modules]

; Undocumented key

CheckExternalScripts = disabled

; Undocumented key

CheckHelpers = disabled

; Undocumented key

CheckEventLog = disabled

; Undocumented key

CheckNSCP = disabled

; Undocumented key

CheckDisk = enabled

; Undocumented key

CheckSystem = enabled

; Undocumented key

WEBServer = enabled

[/settings/WEB/server]

; ALLOWED HOSTS - A commaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

allowed hosts = Server-IP, 127.0.0.1

; PORT NUMBER - Port to use for WEB server.

port = 8443s

; CERTIFICATE - Ssl certificate to use for the ssl server

certificate = ${certificate-path}/certificate.pem

password: icinga

[/settings/log]

file name = nsclient.log

level = debug

[/settings/WEB/server/roles]

admin = *

See curl output:

$ curl -vv -k -u admin:icinga --max-time 3 -H “Content-type: application/json” https://NSCLIENT:8443/query/check_cpu

About to connect() to proxy web-cache port 8080 (#0)

Trying proxy web-cache… connected

Connected to web-cache (proxy web-cache) port 8080 (#0)

Establish HTTP proxy tunnel to NSCLIENT:8443

Server auth using Basic with user ‘admin’

CONNECT NSCLIENT:8443 HTTP/1.1

Host: NSCLIENT:8443

User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

Proxy-Connection: Keep-Alive

Content-type: application/json

HTTP/1.1 200 Connection established

Date: Tue, 02 Apr 2019 00:45:27 GMT

Proxy replied OK to CONNECT request

Initializing NSS with certpath: sql:/etc/pki/nssdb

warning: ignoring value of ssl.verifyhost

skipping SSL peer certificate verification

SSL connection using TLS_RSA_WITH_AES_128_GCM_SHA256

Server certificate:

subject: CN=localhost

start date: Apr 02 00:45:17 2019 GMT

expire date: Apr 01 00:45:17 2020 GMT

common name: localhost

issuer: CN=localhost

Server auth using Basic with user ‘admin’

GET /query/check_cpu HTTP/1.1

Authorization: Basic —

User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

Host: NSCLIENT:8443

Accept: /

Content-type: application/json

HTTP/1.1 403

Content-Length: 22

Connection #0 to host web-cache left intact

Closing connection #0