I have 5 pfSense devices: one at my home office, and two set up in pairs at my data center and main office respectively. The data center are running stock pfSense on beefy hardware; the others are all Netgate units running Netgate pfSense.
Since the most recent update added CSRF checking, I updated my config file backup script according to https://doc.pfsense.org/index.php/Remote_Config_Backup (using cURL rather than wget) and this works just great for all but the home office unit. I'm running my script that calls curl from my Mac desktop at the main office. All access is over VPN connections (or the local LAN) to private IP addresses. On my home office unit, the second HTTP GET returns an error page saying the CSRF token was incorrect. The others return the dashboard page (which is the expected result after submitting a login). Because it fails at that step, the final fetch of the actual config file fails as well. I've spent all morning trying to figure out what's different with this unit's configuration and I just cannot see it. I concentrated on the general config and advanced config screens. There are two major visible differences in the initial HTTP GET: First, the CSRF token looks different. On the working units, it looks like this: csrfMagicToken = "sid:a25852be7ba6a2a00b9eeab807389bf3b65ad28b,1460041532;ip:46ff0619e5d874ac44652f9eb04813c13621faf8,1460041532" On the failing unit it looks like this: csrfMagicToken = "sid:1d1800a1f646e0f14788b8b1a0bc0aff6fdbbc2a,1460041531" Secondly, the PHPSESSID cookie on the failing units is not set as "HTTPS" only, whereas on the other units it is. Any ideas would be appreciated. I'm running pfSense 2.2.6. Here's my testing script which just fetches from one working and the failing unit. --cut here-- #!/bin/sh readonly PFDATE=`date +%Y%m%d%H%M%S` readonly VKFW="vkfirewall.example.com" readonly ASHBURNFWA="rockville-fw-a.example.com" readonly USBCFGDIR="/tmp" FWPASS="xxxxxx" pfsense_config() { local FWNAME FWURL CSRF CSRF2 COOKIEFILE FWNAME="$1" FWURL="https://${FWNAME}"; COOKIEFILE=`mktemp -t cookies` printf "Downloading Firewall Config for $FWNAME" curl -k -L -c ${COOKIEFILE} -o $USBCFGDIR/$FWNAME-1.html ${FWURL}/ # CSRF=`curl -k -c ${COOKIEFILE} ${FWURL}/ | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/'` CSRF=`cat $USBCFGDIR/$FWNAME-1.html | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/'` echo c=$CSRF curl -k -L -c ${COOKIEFILE} -d "login=Login&usernamefld=admin&passwordfld=$FWPASS&__csrf_magic=${CSRF}" -o $USBCFGDIR/$FWNAME-2.html ${FWURL}/diag_backup.php # CSRF2=`curl -k -c ${COOKIEFILE} -d "login=Login&usernamefld=admin&passwordfld=$FWPASS&__csrf_magic=${CSRF}" ${FWURL}/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/'` CSRF2=`cat $USBCFGDIR/$FWNAME-2.html | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/'` echo c2=$CSRF2 curl -k -b ${COOKIEFILE} -d "Submit=download&donotbackuprrd=checked&__csrf_magic=${CSRF2}" -o $USBCFGDIR/config-$FWNAME-$PFDATE.xml ${FWURL}/diag_backup.php cat ${COOKIEFILE} rm -f ${COOKIEFILE} } printf "Downloading Firewall Configuration\n\n" pfsense_config $VKFW printf "\n############################################################\n" pfsense_config $ASHBURNFWA --cut here-- _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
