{{tag>Windows Nagios Centreon Supervision HTTPS TLS MITM}} # Pb plugin Nagios centreon NSClient 403 Getting response 403 Your not allowed from NSClient++ running on Windows over the REST API but curl ok ## Problème https://community.icinga.com/t/getting-response-403-your-not-allowed-from-nsclient-running-on-windows-over-the-rest-api/4005 ~~~ $ /usr/lib/centreon/plugins/centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='192.168.1.161' --port='8443' --proto='https' --legacy-password='centreon' --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all UNKNOWN: 403 Forbidden ~~~ Alors que le curl fonctionne ~~~bash curl -k -u centreon:centreon https://192.168.1.161:8443/api/v1/scripts/ext?all=true ~~~ ## Analyse - Création d'un MITM HTTPS avec socat ### Décapsuler HTTPS en créant un MITM HTTP (HTTPS to HTTP) ~~~bash socat TCP-LISTEN:8080,fork OPENSSL:10.12.50.161:8443,verify=0 ~~~ ### Création des certificats pour encapsulation HTTPS (HTTP to HTTPS) Voir : * [[openssl_creer_un_certificat_autosigne_create_a_self-signed_ssl_certificate]] * https://fabianlee.org/2022/10/26/linux-socat-used-as-secure-https-web-server/ ~~~bash FQDN=localhost #openssl genrsa -out plop.key 2048 #openssl req -new -key plop.key -x509 -subj '/CN=localhost' -out plop.cert #cat plop.key plop.cert > plop.pem # Ou openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout plop.key -out plop.crt ~~~ ## Résultats ### Test OK ~~~bash curl -k -u centreon:centreon https://127.0.0.1:1443/api/v1/scripts/ext?all=true ~~~ ~~~ [root@centreon-central ~]# PORT=1443 FQDN=localhost [root@centreon-central ~]# socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork TCP4:localhost:8080 > 2025/04/04 12:27:38.353691 length=146 from=0 to=145 GET /api/v1/scripts/ext?all=true HTTP/1.1 Host: 127.0.0.1:1443 Authorization: Basic Y2VudHJlb246Y2VudHJlb24= User-Agent: curl/7.61.1 Accept: */* < 2025/04/04 12:27:38.378346 length=1681 from=0 to=1680 HTTP/1.1 200\r\r Content-Length: 1544\r\r Set-cookie: token=yapnxrpMCARCr4zdGc81tBDKsMlaZTXC; path=/\r\r Set-cookie: uid=centreon; path=/\r\r \r\r ~~~ ### Test NOK ~~~bash /usr/lib/centreon/plugins/centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='127.0.0.1' --port='1443' --proto='https' --legacy-password='centreon' --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all UNKNOWN: 403 Forbidden ~~~ ~~~ [root@centreon-central ~]# socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork TCP4:localhost:8080 > 2025/04/04 12:34:59.797373 length=315 from=0 to=314 GET /query/check_cpu?warning%3Dtime%20%3D%20%275m%27%20and%20load%20%3E%2080&critical%3Dtime%20%3D%20%275m%27%20and%20load%20%3E%2090&show-all HTTP/1.1 TE: deflate,gzip;q=0.3 Keep-Alive: 300 Connection: Keep-Alive, TE Host: 127.0.0.1:1443 User-Agent: centreon::plugins::backend::http::useragent Password: centreon < 2025/04/04 12:34:59.804956 length=59 from=0 to=58 HTTP/1.1 403\r\r Content-Length: 20\r\r \r\r 403 Your not allowed ~~~ ## Solution Ajouter les arguments ci-dessous pour l'authentification "basic" * ''--basic'' * ''--credentials'' * ''--username=centreon'' * ''--password=centreon'' ~~~bash /usr/lib/centreon/plugins/centreon_plugins --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='192.168.1.161' --port='8443' --proto='https' --basic --credentials --username=centreon --password=centreon --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all ~~~ ## Autres socat Pour test ~~~bash socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; echo \"hello from $(hostname) at \$(date)\"" ~~~