dejavu icon indicating copy to clipboard operation
dejavu copied to clipboard
verified publisher icon appbaseio

dejavu access es server with 401 Unauthorized error in POST request

Open scalaview opened this issue 6 years ago • 3 comments

the post request pass a wrong header to the server "Basic%20xxxx"

image

the correct one is "Basic xxxx"

image

my dejavu docker image is appbaseio/dejavu latest 8fd445e200b2

scalaview avatar Sep 06 '19 07:09 scalaview

@scalaview thank you for reporting this. I was not able to replicate this with latest docker image, can you share some example URL with Credentials?

lakhansamani avatar Sep 20 '19 08:09 lakhansamani

@lakhansamani unfortunately, this is an internal system, I can't share it with you. So sorry.

scalaview avatar Sep 25 '19 04:09 scalaview

I have maybe same problem

  • using an internal URL like https://user:pass@some-host:443/elasticsearch
  • within actual Chrome Plugin from https://chrome.google.com/webstore/detail/dejavu-elasticsearch-web/jopjeaiilkcibeohjdmejhoifenbnmlh
  • Elasticsearch config added as found in some other issue/blog: 
    # tail -n 5 /etc/elasticsearch/elasticsearch.yml
http.port: 9200
http.cors.allow-origin: 'chrome-extension://jopjeaiilkcibeohjdmejhoifenbnmlh'
http.cors.enabled: true
http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type,Content-Length,Authorization
http.cors.allow-credentials: true
  • Apache2 proxy setup like: 
          <Location /elasticsearch>
              AuthType        Basic
              AuthName        "Restricted Content"
              AuthUserFile    /etc/apache2/htpasswd
              Require         valid-user

              ProxyPass               http://localhost:9200 retry=0
              ProxyPassReverse        http://localhost:9200
      </Location>

      <Proxy http://localhost:9200>
              ProxySet                connectiontimeout=5 timeout=90
      </Proxy>

      <LocationMatch "^(/elasticsearch/)(_aliases|.*_search|.*_mapping|_nodes|_settings)$">
              ProxyPassMatch          http://localhost:9200/$2
              ProxyPassReverse        http://localhost:9200/$2
      </LocationMatch>

I can use the Data Browser and the Search Preview but not the Query Explorer where I get an 401 and in DevjaVu with this notification popup:

Application Error It looks like your app name, username, password combination doesn't match. Check your url and appname and then connect it again.

producing this log lines in access log:

some-host:443 192.168.1.11 - - [02/Oct/2019:22:22:45 +0000] "OPTIONS /elasticsearch/akeneo_pim_product/_settings HTTP/1.1" 401 754 "https://opensource.appbase.io/mirage/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36" -
some-host:443 192.168.1.11 - - [02/Oct/2019:22:22:45 +0000] "OPTIONS /elasticsearch/akeneo_pim_product/_mapping/ HTTP/1.1" 401 754 "https://opensource.appbase.io/mirage/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36" -

mmh, maybe it's different... checking Chrome Console as above shown there is no Basic Auth but somehow Google Adds some public IP here, too:

General:
Request URL: https://some-host/elasticsearch/akeneo_pim_product/_settings
Request Method: OPTIONS
Status Code: 403 Forbidden
Remote Address: 79.140.XXX.XXX:443
Referrer Policy: no-referrer-when-downgrade

Response Headers:
HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2019 22:39:27 GMT
Server: Apache/2.4.38
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Transfer-Encoding: chunked

Request Headers:
OPTIONS /elasticsearch/akeneo_pim_product/_settings HTTP/1.1
Host: some-host
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Sec-Fetch-Mode: cors
Access-Control-Request-Method: GET
Origin: https://opensource.appbase.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
DNT: 1
Access-Control-Request-Headers: authorization,content-type
Accept: */*
Sec-Fetch-Site: cross-site
Referer: https://opensource.appbase.io/mirage/
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7

And same result when excluding Basic Auth for OPTIONS as in https://serverfault.com/a/684884/219570 given:

         <Location /elasticsearch>
                AuthType        Basic
                AuthName        "Restricted Content"
                AuthUserFile    /etc/apache2/htpasswd
                #Require                valid-user
                <LimitExcept OPTIONS>
                        Require valid-user
                </LimitExcept>

                ProxyPass               http://localhost:9200 retry=0
                ProxyPassReverse        http://localhost:9200
        </Location>

EDIT:

While checking postponed the post I found the request header not helpful: Referer: https://opensource.appbase.io/mirage/ and added it to allowed origin in Elasticsearch: http.cors.allow-origin: '/(chrome-extension:\/\/jopjeaiilkcibeohjdmejhoifenbnmlh|https:\/\/opensource.appbase.io\/mirage\/)/' and http.cors.allow-origin: /(chrome-extension:\/\/jopjeaiilkcibeohjdmejhoifenbnmlh|https:\/\/opensource.appbase.io\/mirage\/)/ but with no change in behavior... I get still 401 errors.

Reiner030 avatar Oct 02 '19 22:10 Reiner030