Got 403 Forbidden with chrome user-agent

Elasticsearch version: 2.3.1

JVM version:

java -version
openjdk version "1.8.0_71"
OpenJDK Runtime Environment (build 1.8.0_71-b15)
OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)

OS version:

lsb_release -a
LSB Version:	:core-4.1-amd64:core-4.1-noarch
Distributor ID:	CentOS
Description:	CentOS Linux release 7.1.1503 (Core)
Release:	7.1.1503
Codename:	Core

Description of the problem including expected versus actual behavior:
work fine on firefox, can't work with Chome/safari

Steps to reproduce:

  1. Normal user-agent is ok
curl -v 'https://xxx.my.host/elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1465897339430' -H 'origin: https://xxx.my.host' -H 'user-agent: Rajax/1 Redmi_3/ido Android/5.1.1 Display/LMY47V Eleme/5.10.2 ID/fa0ef395-659a-3150-b347-f258248013af; KERNEL_VERSION:3.10.49-perf-g6241083 API_Level:22 Mozilla/5.0 (Linux; Android 5.1.1; Redmi 3 Build/LMY47V; wv)' -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.5.1"}]}'
*   Trying 115.x.x.42...
* Connected to xxx.my.host (115.x.x.42) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.ele.me
* Server certificate: GeoTrust SSL CA - G3
* Server certificate: GeoTrust Global CA
> POST /elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1465897339430 HTTP/1.1
> Host: xxx.my.host
> Accept: */*
> origin: https://xxx.my.host
> user-agent: Rajax/1 Redmi_3/ido Android/5.1.1 Display/LMY47V Eleme/5.10.2 ID/fa0ef395-659a-3150-b347-f258248013af; KERNEL_VERSION:3.10.49-perf-g6241083 API_Level:22 Mozilla/5.0 (Linux; Android 5.1.1; Redmi 3 Build/LMY47V; wv)
> Content-Length: 62
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 62 out of 62 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.9.6
< Date: Wed, 15 Jun 2016 03:47:01 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 116
< Connection: keep-alive
< Vary: Accept-Encoding
<
* Connection #0 to host xxx.my.host left intact
{"docs":[{"_index":".kibana","_type":"config","_id":"4.5.1","_version":1,"found":true,"_source":{"buildNum":9892}}]}

Got 403 forbidden with Chrome/Safari user-agent...

curl -v 'https://xxx.my.host/elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1465897339430' -H 'origin: https://xxx.my.host' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)' -d '{"docs":[{"_index":".kibana","_type":"config","_id":"4.5.1"}]}'
*   Trying 115.x.x.12...
* Connected to xxx.my.host (115.x.x.12) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.my.host
* Server certificate: GeoTrust SSL CA - G3
* Server certificate: GeoTrust Global CA
> POST /elasticsearch/_mget?timeout=0&ignore_unavailable=true&preference=1465897339430 HTTP/1.1
> Host: xxx.my.host
> Accept: */*
> origin: https://xxx.my.host
> user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5)
> Content-Length: 62
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 62 out of 62 bytes
< HTTP/1.1 403 Forbidden
< Server: nginx/1.9.6
< Date: Wed, 15 Jun 2016 03:46:08 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
<
* Connection #0 to host xxx.my.host left intact

Provide logs (if relevant):
above

Describe the feature:
I'm trying to use kibana to connect to elasticsearch, but found that not work with chrome/safari and work fine on firefox. I thought it was kibana's problme, but it seems there is some detail that I don't know about elasticsearch.

github : https://github.com/elastic/elasticsearch/issues/18878

What are you using to proxy this (ie add SSL)?

with nginx proxy_pass

I'd say it is a problem there and not in ES then.

Um, I have no idea with this. You mean this 403 status is caused by nginx?

curl -v 'http://localhost:9200/_mget?timeout=0&ignore_unavailable=true&preference=1465972364258' -H 'Origin: https://xxx.my.host' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4,zh-TW;q=0.2' -H 'kbn-version: 4.5.0' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36' -H 'Content-Type: application/json;charset=UTF-8' -H 'Accept: application/json, text/plain, */*' -H 'Referer: https://xxx.my.host/app/kibana' -H 'Cookie: ubt_ssid=g0t4wjmyxmpl7tdgj7jogaf524dzssd6_2016-03-24; _utrace=08ce7bea04351ed23c74cc6e51f8a0fd_2016-03-24; track_fingerprint_1=866522078; eleme__ele_me=dc444820023be6e0a562b3752648cf07%3A713e269b408b85cd20ae52ad0d72fb2c5bb19700; COFFEE_TOKEN=35fa7d3e-39d5-428f-9f39-a0d4f3a18ae6; track_id=1463453997%7C5c082c05a1e4d2b7e883682a952629dcd2aefea7885d7991ca%7C23834c0ccc4aac997c346e1241248b11' -H 'Connection: keep-alive' --data-binary '{"docs":[{"_index":".kibana","_type":"config","_id":"4.5.0"}]}' --compressed
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9200 (#0)
> POST /_mget?timeout=0&ignore_unavailable=true&preference=1465972364258 HTTP/1.1
> Host: localhost:9200
> Origin: https://xxx.my.host
> Accept-Encoding: gzip, deflate, br
> Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4,zh-TW;q=0.2
> kbn-version: 4.5.0
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
> Content-Type: application/json;charset=UTF-8
> Accept: application/json, text/plain, */*
> Referer: https://xxx.my.host/app/kibana
> Cookie: ubt_ssid=g0t4wjmyxmpl7tdgj7jogaf524dzssd6_2016-03-24; _utrace=08ce7bea04351ed23c74cc6e51f8a0fd_2016-03-24; track_fingerprint_1=866522078; eleme__ele_me=dc444820023be6e0a562b3752648cf07%3A713e269b408b85cd20ae52ad0d72fb2c5bb19700; COFFEE_TOKEN=35fa7d3e-39d5-428f-9f39-a0d4f3a18ae6; track_id=1463453997%7C5c082c05a1e4d2b7e883682a952629dcd2aefea7885d7991ca%7C23834c0ccc4aac997c346e1241248b11
> Connection: keep-alive
> Content-Length: 62
>
* upload completely sent off: 62 out of 62 bytes
< HTTP/1.1 403 Forbidden
* no chunk, no close, no size. Assume close to signal end
<
* Closing connection 0

As your suggestion, I try this request over nginx, but there is still problem.

I think this is fixed in 2.3.3, can you upgrade and verify?

2 Likes

Sure, I'm going to.

It works! @Jasontedor, thank a lot!

1 Like