try other agent addresses on 5XX error response #19497
Conversation
src/Agent.php
Outdated
| @@ -722,6 +723,10 @@ public function requestAgent($endpoint): Response | |||
| self::$found_address = $address; | |||
| break; | |||
| } catch (\GuzzleHttp\Exception\RequestException $exception) { | |||
There was a problem hiding this comment.
What kind of error should prevent trying to other addresses here?
If the response status is a 4xx, does it means our request is wrong, or does it means that we reached an unexpected application that does not understand our request?
Same question for 5xx statuses.
Then remains the ConnectException. This one, for sure, means that the tested address is not reachable, and we have to try with other addresses.
There was a problem hiding this comment.
What kind of error should prevent trying to other addresses here?
IMHO, we can try next address on any failure.
|
IMHO, I don't understand why initially we should stop on the first error. Unless an error is effectively telling the agent is definitively not reachable, even on other ips, but how to be sure when we are not still sure we even have all or goods ips ^^ |
It seems that it was your own proposal, see #13812. Is there something in the response headers/content that can be used to be sure that an agent was reached? |
|
Lol, 2 years ago. Reading again my previous PR description, I think I would like to make the function returns earlier only when agent really tells that access is forbidden, i.e when it returns a 403 error code with a "Access denied" text. So I understand better this PR purpose. Here is an example curl request with verbose option: My guess so is we can not break on 5XX error response and try others. |
|
Would it be possible to return If this is possible, then we could stop trying requests when are sure that the response is returned by a GLPI Agent. |
|
Probably, but If you want to check a header, check for |
| // many addresses will be incorrect | ||
| } catch (\GuzzleHttp\Exception\ClientException $exception) { | ||
| // If a 4XX error seems to be coming from an agent, we can stop trying. For every other exception, we can try other addresses | ||
| if (str_contains($exception->getResponse()->getHeaderLine('Server'), 'libwww-perl-daemon')) { |
There was a problem hiding this comment.
Can you better check if "Server" header contains "libwww-perl-daemon" OR "glpi-agent" ?
Just to anticipate future versions of glpi-agent which won't use perl.
There was a problem hiding this comment.
While reading some documentation about the Server header, I figured out that we should probably remove it from the response, to not expose too many information about the server itself. Indeed, it may help attackers to identify vulnerable servers. Also, I guess some security proxies are removing these headers. Relying on this header is probably a bad idea.
| // If a 4XX error seems to be coming from an agent, we can stop trying. For every other exception, we can try other addresses | ||
| if (str_contains($exception->getResponse()->getHeaderLine('Server'), 'libwww-perl-daemon')) { |
There was a problem hiding this comment.
The initial purpose was to handle 405 responses. IMHO, we should only handle this specific case.
@g-bougard Do you agree ?
| // If a 4XX error seems to be coming from an agent, we can stop trying. For every other exception, we can try other addresses | |
| if (str_contains($exception->getResponse()->getHeaderLine('Server'), 'libwww-perl-daemon')) { | |
| // If a "405 Not allowed" error is returned by an agent expected address, we can stop trying. For every other exception, we can try other addresses. | |
| if ($exception->getResponse()->getStatusCode() === 405) { | |
| // "405 Not allowed" status is returned when agent don't trust server |
There was a problem hiding this comment.
A 405 doesn't seem like the right status code if the agent doesn't trust the server. This implies that the untrusted server could make the same request to the agent using a different method (GET, POST, etc) and the agent is expected to send an Allow header in the response indicating the allowed methods.
A 403 error is what should be used and seems like the only case where we know to stop trying to contact the agent at this time.
| // If a 4XX error seems to be coming from an agent, we can stop trying. For every other exception, we can try other addresses | ||
| if (str_contains($exception->getResponse()->getHeaderLine('Server'), 'libwww-perl-daemon')) { | ||
| break; | ||
| } | ||
| } |
There was a problem hiding this comment.
We should prevent connection/request/server exceptions to stop the execution.
| } | |
| } catch (\GuzzleHttp\Exception\TransferException $exception) { | |
| // Many addresses will be incorrect. Catch the exception and try other addresses. | |
| } |
| // many addresses will be incorrect | ||
| } catch (\GuzzleHttp\Exception\ClientException $exception) { | ||
| // If a 4XX error seems to be coming from an agent, we can stop trying. For every other exception, we can try other addresses | ||
| if (str_contains($exception->getResponse()->getHeaderLine('Server'), 'libwww-perl-daemon')) { |
There was a problem hiding this comment.
While reading some documentation about the Server header, I figured out that we should probably remove it from the response, to not expose too many information about the server itself. Indeed, it may help attackers to identify vulnerable servers. Also, I guess some security proxies are removing these headers. Relying on this header is probably a bad idea.
Checklist before requesting a review
Description
Fixes #19479
I have no way to test, but I guess if GLPI gets a 500 level error with one agent address, it should still try the other ones.