Heartbeat HTTP pings fails with 403

Elastic Stack Beats
1

Hi Team,

Strange heartbeat is failing with 403 response but we are getting valid 200 responses via CURL & Browser
. Below is the configuration used for setting up the heartbeat any advice here will be helpful. I have tried setting up headers via heartbeat config too but still no luck.

Heartbeat Config:

Trial 1:

heartbeat.monitors:
- type: http
  schedule: '@every 60s'
  name: "host:Ping"
  urls:
    - https://host.com/xxx/Heartbeat.jsp

Trial 2:

heartbeat.monitors:
- type: http
  schedule: '@every 60s'
  name: Host-2:Ping"
  urls:
    - https://host.com/xxx/Heartbeat.jsp
  ssl:
    supported_protocols: ["TLSv1.3"]
  
  check.request:
    method: GET
    headers:
     - 'Content-Type': 'text/html'
     - 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0'
     - 'Accept-Language':	'en-GB,en;q=0.5'
     - 'Accept-Encoding' : 'gzip, deflate, br'
     - 'set-cookie': 'JSESSIONID=AEE9417DA812869E16222633EA68E582.worker87'
  check.response:
    status: [200]

For both configurations, we get " received status code 403 expecting [200]".

Screenshot 2022-02-25 140853
Screenshot 2022-02-25 1408531481×588 40.4 KB

CURL sample response:

heartbeat@756438db75dd:~$  curl -k -v  https://HOST
*   Trying IP:443...
* TCP_NODELAY set
* Connected to HOST.com (IP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.HOST.com; O=Name Internet Business Solutions Ltd; L=Pieta; C=MT
*  start date: Jul 29 11:28:09 2021 GMT
*  expire date: Jul 29 11:27:09 2022 GMT
*  issuer: C=US; ST=Illinois; L=Chicago; O=Trustwave Holdings, Inc.; CN=Trustwave Organization Validation SHA256 CA, Level 1; emailAddress=ca@trustwave.com
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e584984e30)
> GET /TDS/Heartbeat.jsp HTTP/2
> Host: HOST.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< date: Fri, 25 Feb 2022 13:50:17 GMT
< server: Apache
< strict-transport-security: max-age=31536000; includeSubDomains
< set-cookie: JSESSIONID=4B4FFE3F0C9076F907595B86B273F1D6.worker87; Path=/TDS; Secure; HttpOnly
< content-type: text/html;charset=UTF-8
<


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
 Component (TDS 1.0.2)
</body>
* Connection #0 to host HOST.com left intact
2

403 corresponds to forbidden. In all likelihood your server thinks heartbeat is a malicious bot and is denying it access. It's not really something we can control on heartbeat since your service is handling things differently.

You could try setting the user agent header to something else to see if that helps.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.