Connection Refused Error in Jenkins Only
668 views
Skip to first unread message
Charles Williams
Mar 25, 2022, 9:07:45 AM3/25/22
to OWASP ZAP User Group
Hi ZAP Team,
sh 'docker run -t owasp/zap2docker-stable curl http://host.docker.internal:8080/<URL>'
And got a non-'Connection refused' response, so I believe that the link is reachable. I've also tried following the steps provided for reading the ZAP log, but while I can connect to the image and check the log locally, I get a 'the input device is not a TTY' error when I try to run the command in Jenkins after pulling the latest version of ZAP:
I've been testing with ZAP via the Automation Framework and have gotten successful runs in both my local testing and Docker, and I have moved into testing in Jenkins. My Jenkinsfile essentially builds the app I'm testing against (which is in another Docker container), then sets up ZAP:
sh 'docker pull owasp/zap2docker-stable:latest'
sh 'docker run -v $(pwd):/zap/wrk/:rw --network=host --rm -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/owasp_zap_required_files/Automation_Plan.yaml'
sh 'docker run -v $(pwd):/zap/wrk/:rw --network=host --rm -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/owasp_zap_required_files/Automation_Plan.yaml'
Following these exact commands locally has given me the desired results, however, I'm getting a 'Connection Refused' error when I run the exact same commands in Jenkins:
ConnectionError at /oidc/callback/
HTTPConnectionPool(host='host.docker.internal', port=8080): Max retries exceeded with url: <URL> (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fdaa7d070b8>: Failed to establish a new connection: [Errno 111] Connection refused',))
Right now I'm going through to try and diagnose if this is a ZAP problem or a problem with my app setup. I've gone through the Diagnosing Docker Problems page, and so far it all looks good - I ran curl against the link:
sh 'docker run -t owasp/zap2docker-stable curl http://host.docker.internal:8080/<URL>'
And got a non-'Connection refused' response, so I believe that the link is reachable. I've also tried following the steps provided for reading the ZAP log, but while I can connect to the image and check the log locally, I get a 'the input device is not a TTY' error when I try to run the command in Jenkins after pulling the latest version of ZAP:
sh 'docker run -i -t owasp/zap2docker-stable bash'
As for further troubleshooting, most of the potential pitfalls I'm finding seem like they don't apply in my case, since the ZAP scan works perfectly fine when I run locally. I believe this covers any cases that may apply since my app is running in another Docker container, but this appears to be covered by my '--network=host' flag, and especially since I get normal performance from running locally.
I've also gone and compared my /etc/hosts and /etc/resolv.conf files between my local machine and the Jenkins build as it runs, and I've made sure that host.docker.internal should be accessible from all images:
sh 'docker run --add-host host.docker.internal:127.0.0.1 -v $(pwd):/zap/wrk/:rw --network=host --rm -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/owasp_zap_required_files/Automation_Plan.yaml'
But this gave me the same error as before. Are there any other steps I could/should be taking to figure out the potential source of this error, or have my findings so far shown that the error isn't with ZAP and rather my app configuration?
Thank you!
Charles Williams
Mar 25, 2022, 9:13:21 AM3/25/22
to OWASP ZAP User Group
A closer look on my end is showing that I'm able to access other host.docker.internal links just fine, but it is sending a POST request to this specific link that appears to be giving me trouble. This is making me lean closer to thinking this is a problem with my app config, but I believe it's still worthwhile to ask just in case I'm missing something.
Thank you!
Charles Williams
Mar 25, 2022, 9:31:32 AM3/25/22
to OWASP ZAP User Group
Sorry, one last detail I should mention - this is an error that is arising while ZAP is trying to authenticate before a Spider, using Script-based Authentication:
09:10:38 Job spider started
09:10:38 Job spider requesting URL http://localhost:8000
09:10:40 2022.02.25_13:10:39 authent: Sending GET request to http://localhost:8000
09:10:40 2022.02.25_13:10:39 authent: Received response status code: 302
09:10:40 2022.02.25_13:10:40 authent: Redirecting to: http://localhost:8000/<authentication_link>
09:10:40 2022.02.25_13:10:40 authent: Sending GET request to http://localhost:8000/<authentication_link>
09:10:40 2022.02.25_13:10:40 authent: Received response status code: 302
09:10:40 2022.02.25_13:10:40 authent: Redirecting to: http://host.docker.internal:8080/<login_link>
09:10:40 2022.02.25_13:10:40 authent: Sending GET request to http://host.docker.internal:8080/<login_link>
09:10:41 2022.02.25_13:10:41 authent: Received response status code: 200
09:10:42 2022.02.25_13:10:41 authent: Sending POST request to http://host.docker.internal:8080/<login_authentication> with body: username=<USERNAME>&password=<PASSWORD>%21&credentialId=
I then get the error after this request.
Reply all
Reply to author
Forward
0 new messages