Consul services not working 403 forbidden

robinmedland · August 12, 2019, 9:43am

Problem 1
On my server i have a function that does a “wget whatsmyip.com” and this is working just fine. Now i need to be using consul. So I registered a consul service called “myip”. When i do a “wget myip” I see that my server is connecting to the right ip adress and port but i get a 403 forbidden request.

This is my service

"ID": "myip",
"Name": "myip",
"Address": "whatsmyip.com",
"Port": 7586

This is the response

[lil ~]$ wget myip
–2019-08-12 07:52:08-- http://myip/
Resolving myip (myip)… 104.31.83.52, 104.31.82.52, 104.31.83.52, …
Connecting to myip (myip)|104.31.83.52|:80… connected.
HTTP request sent, awaiting response… 403 Forbidden
2019-08-12 07:52:08 ERROR 403: Forbidden.

The problem is that i also cant wget on the ip-address solo. wget 104.31.83.52 is not working. Is there a way to let consul use hostname instead of ip address?

mkeeler · August 12, 2019, 1:24pm

The problem seems to be on the server side of whatsmyip.com.

This is without a host header:

mkeeler-mbp:~ mkeeler$ curl -I http://104.31.83.52/
HTTP/1.1 403 Forbidden
Date: Mon, 12 Aug 2019 13:21:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: __cfduid=dbab9fa1960eae8d68e938b36656345971565616065; expires=Tue, 11-Aug-20 13:21:05 GMT; path=/; domain=.104.31.83.52; HttpOnly
Cache-Control: max-age=15
Expires: Mon, 12 Aug 2019 13:21:20 GMT
X-Frame-Options: SAMEORIGIN
Server: cloudflare
CF-RAY: 5052c0178a16cf40-IAD

This one is with a host header:

mkeeler-mbp:~ mkeeler$ curl -I -H 'Host: whatsmyip.com' http://104.31.83.52/
HTTP/1.1 301 Moved Permanently
Date: Mon, 12 Aug 2019 13:21:06 GMT
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Mon, 12 Aug 2019 14:21:06 GMT
Location: https://whatsmyip.com/
Server: cloudflare
CF-RAY: 5052c021392fe0b2-IAD

Basically the server wants to ensure that the Host is whatsmyip.com and if it isn’t its configured to get a 403. So the problem is that wget/curl would by default set the Host to whatever the DNS name was that you gave it. So in your case it would set Host to myip. This is then rejected by the whatsmyip servers. To get around this just override the tools behavior and force the Host header to be whatsmyip.com.