We’ve started to host websites on AWS, we want to monitor using NagiosXI, but we got some odd results when first attempting to. The web application has no “index.html” page, which is one cause of the 403 forbidden error. However we were getting the same thing even when specifying the correct path.
It turns out there are a few things at play here, one I mention in https://geekmungus.co.uk/?p=1289 this relates to the SNI which can be required when there are multiple sites (with different SSL Certificates) hosted on the same IP:Port which is the case with an ALB or any load balancer to a certain extent. The other key thing is that your NagiosXI poll must look like a normal request, or the load balancer won’t interpret it correctly.
In our case however it was the WAF that was the problem, it was seeing the request as a BOT because the Nagios request did not provide a UserAgent string! To resolve this you’d do something like:
./check_http -H www.mysite.com --sni --hostname=www.mysite.com -u / --useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0" -f follow -S
HTTP OK: HTTP/1.1 200 OK - 7589 bytes in 0.088 second response time |time=0.088117s;;;0.000000 size=7589B;;;0
Adding in an valid UserAgent string solved the issue.
A further to this was also that, NagiosXI didn’t seem to like the semi colons and colons, when attempting to escape them on the command line passed into NagiosXI it would leave these in the string that was passed to the server, causing a 403 forbidden error again.
So to resolve this removing these characters and replacing with spaces, seemed to be good enough to get past the WAF filtering.