getting "bad request" from moloch viewer
258 views
Skip to first unread message
Russell Fulton
Feb 10, 2015, 10:30:48 PM2/10/15
to moloc...@googlegroups.com
Hi
My first attempt to poke at the viewer with a browser returned “bad request” after logging in.
the viewer/OUT:
connect.multipart() will be removed in connect 3.0
visit https://github.com/senchalabs/connect/wiki/Connect-3.0 for alternatives
connect.limit() will be removed in connect 3.0
Express server listening on port 8005 in production mode
Wed, 11 Feb 2015 02:51:02 GMT - ESC[1mGETESC[0m ESC[33m/ESC[0m - bytes 6 ms
Wed, 11 Feb 2015 02:51:19 GMT - ESC[1mGETESC[0m ESC[33m/ESC[0m - bytes 2 ms
Those look like ansi terminal control codes in the input stream?? or is it some attempt at formatting the log record?
I turned off TLS and ran tcpdump and the browser sent:
0x0030: 9058 54b6 4745 5420 2f20 4854 5450 2f31 .XT.GET./.HTTP/1
which looks fine to me.
R
My first attempt to poke at the viewer with a browser returned “bad request” after logging in.
the viewer/OUT:
connect.multipart() will be removed in connect 3.0
visit https://github.com/senchalabs/connect/wiki/Connect-3.0 for alternatives
connect.limit() will be removed in connect 3.0
Express server listening on port 8005 in production mode
Wed, 11 Feb 2015 02:51:02 GMT - ESC[1mGETESC[0m ESC[33m/ESC[0m - bytes 6 ms
Wed, 11 Feb 2015 02:51:19 GMT - ESC[1mGETESC[0m ESC[33m/ESC[0m - bytes 2 ms
Those look like ansi terminal control codes in the input stream?? or is it some attempt at formatting the log record?
I turned off TLS and ran tcpdump and the browser sent:
0x0030: 9058 54b6 4745 5420 2f20 4854 5450 2f31 .XT.GET./.HTTP/1
which looks fine to me.
R
Andy
Feb 11, 2015, 8:38:01 AM2/11/15
to moloc...@googlegroups.com
* Yes node puts bold and colors in the logs, less -r will display them
* The response would be more interesting for debugging, or try curl -i
r.fu...@auckland.ac.nz
Feb 11, 2015, 4:51:57 PM2/11/15
to moloc...@googlegroups.com
On Thursday, February 12, 2015 at 2:38:01 AM UTC+13, Andy wrote:
* Yes node puts bold and colors in the logs, less -r will display them* The response would be more interesting for debugging, or try curl -i
The response was simply "Bad Request". No headers or anything else. It must have come from web server rather than the app.
I have now established that if I remove the user auth (comment out the PasswordSecret) then things work as expected.
Is there a way to get viewer to log more? I am unfamiliar with node.
BTW my apologies for my other RTFM posts! I had looked at the help before but must have been very caffeine deprived at the time. Doh!
Andy
Feb 11, 2015, 6:17:00 PM2/11/15
to moloc...@googlegroups.com
curl -i htp://localhost:8005 should return at least some kind of status code and headers.
Anyway, if passwordSecret is the issue I would guess you haven't added any users using the addUser script. easybutton should have added admin:admin unless you changed the password.
node addUser.js -c .config.ini admin "Admin" admin -admin
Andy
Feb 11, 2015, 9:18:41 PM2/11/15
to moloc...@googlegroups.com
There isn't anything for the viewer to print, it never outputs Bad Request.
Did you change anything in the ini file? Did you set webBasePath? If so are you using it in the request?
Can you gist your config?
On Wed, Feb 11, 2015 at 9:08 PM, Russell Fulton wrote:
> On 12/02/2015, at 12:17 pm, Andy wrote:
>
> curl -i htp://localhost:8005 should return at least some kind of status code and headers.
curl -i hangs without returning anything. Ah! that might be the authentication breaking it.
>
> Anyway, if passwordSecret is the issue I would guess you haven't added any users using the addUser script. easybutton should have added admin:admin unless you changed the password.
The auth is configured and working. I get the pop up from the browser put in the creds and then I get a non HTML response “Bad Request”.
I will keep poking at it until I figure out what is going on. Frustrating not being able to get more diagnostic out of the viewer.
Russell
r.fu...@auckland.ac.nz
Feb 23, 2015, 8:36:53 PM2/23/15
to moloc...@googlegroups.com
Finally got back to this.
On Thursday, February 12, 2015 at 3:18:41 PM UTC+13, Andy wrote:
There isn't anything for the viewer to print, it never outputs Bad Request.
Did you change anything in the ini file? Did you set webBasePath? If so are you using it in the request?
Ah! here is the issue. I had misunderstood what this was for and thought is was like document root so I set it to /var/www/moloch. Putting it back to / fixes it.
I also established that the Bad Request is part of a 400 message.
What is a little odd is that it happens only when one has set up users. If you comment out the password and restart the viewer it works.
I am still not clear what the parameter actually does.
Andy
Feb 23, 2015, 9:14:28 PM2/23/15
to moloc...@googlegroups.com
webBasePath is the prefix of all urls that needs to be stripped out. You use it if you want the url to be http://molochmachine/web/base/path instead of just http://molochmachine/
Bad Request is coming from the third party auth checker I think, it only happens when you have users set up since auth is only checked then. The auth checker can't tell you whats wrong since digest mode is a hash of a bunch of stuff.
Reply all
Reply to author
Forward
0 new messages