HTTP plugin code 400 on connection to Citrix ADC

[SpiderD555]

Relevant telegraf.conf

[[inputs.http]]
  urls = [
        "https://netscaler/nitro/v1/stat/lbvserver"
        ]
  method = "GET"

  cookie_auth_url = "https://netscaler/nitro/v1/config/login"
  cookie_auth_method = "POST"
  cookie_auth_headers = { Content-Type = "application/json"}
  cookie_auth_body = '{"login":{"username": "username", "password":"password"}}'
  ## cookie_auth_renewal not set or set to "0" will auth once and never renew the cookie
  cookie_auth_renewal = "1h"
  data_format = "json_v2"

  insecure_skip_verify = true

Logs from Telegraf

E! [telegraf] Error running agent: could not initialize input inputs.http: cookie auth renewal received status code: 400 (Bad Request)

System info

Telegraf 1.22.4 (also tried 1.24.0~e945364b), Redhat 8.6

Docker

No response

Steps to reproduce

1. Configure HTTP plugin as shown in example
2. Configure Citrix ADC with basic credentials
3. Start Telegraf
4. Telegraf stops with error

Expected behavior

I expect Telegraf HTTP plugin will connect to Citrix ADC and initiate the session, so I can draw stats using API calls

Moreover Telegraf stops on that error code 400, which in my humble opinion may be a bad design choice since it may crash otherwise a perfectly fine running Telegraf instance. Telegraf should just ignore the error and maybe retry later instead of stopping entirely. Imagine a situation where we have 1 HTTP endpoint and 99 SNMP devices. When we poll a device with HTTP plugin and it replies with non-200 code (because of some internal error), then whole Telegraf instance crashes and stops gathering statistics for those 99 perfectly working devices.

Actual behavior

E! [telegraf] Error running agent: could not initialize input inputs.http: cookie auth renewal received status code: 400 (Bad Request)

Additional info

When I use curl then it all works:

Establishing new session
curl -ik https://netscaler/nitro/v1/config/login -X POST -H 'Content-Type: application/json' -d '{ "login" :{"username": "username", "password": "password"}}'
HTTP/1.1 201 Created
Date: Fri, 08 Jul 2022 06:56:16 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Set-Cookie: SESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sessionid=%23%23465611085B10AEECBC084499AA564FABA40BACAE435A343F2E40A96A12191918377A434FE2959F11C56076F0E08DDA840EFF0A9968DA9BAA0CA70555A6D168D5155CEBBAB02F9101FBED406B01164D0E617790FE785EF572F90C11FBDFE84FA7437466B824ECA2BC9652FB39FFCAF3DEF23B3AD421A53C32A8D52F75B874; path=/nitro/v1
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 328
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE", "sessionid": "##465611085B10AEECBC084499AA564FABA40BACAE435A343F2E40A96A12191918377A434FE2959F11C56076F0E08DDA840EFF0A9968DA9BAA0CA70555A6D168D5155CEBBAB02F9101FBED406B01164D0E617790FE785EF572F90C11FBDFE84FA7437466B824ECA2BC9652FB39FFCAF3DEF23B3AD421A53C32A8D52F75B874" }

Getting example statistics
curl -ik https://netscaler/nitro/v1/stat/lbvserver -H 'Content-Type: application/json' --cookie "sessionid=%23%23465611085B10AEECBC084499AA564FABA40BACAE435A343F2E40A96A12191918377A434FE2959F11C56076F0E08DDA840EFF0A9968DA9BAA0CA70555A6D168D5155CEBBAB02F9101FBED406B01164D0E617790FE785EF572F90C11FBDFE84FA7437466B824ECA2BC9652FB39FFCAF3DEF23B3AD421A53C32A8D52F75B874; path=/nitro/v1"
HTTP/1.1 200 OK
Date: Fri, 08 Jul 2022 06:57:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 1640
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE", "lbvserver": [ { "name": "lb-test-ssl", "avgcltttlb": "0", "cltresponsetimeapdex": 1.000000, "vsvrsurgecount": "0", "establishedconn": "0", "inactsvcs": "0", "vslbhealth": "0", "primaryipaddress": "169.254.1.1", "primaryport": 443, "type": "SSL", "state": "DOWN", "actsvcs": "0", "cpuusagepm": "0", "tothits": "0", "hitsrate": 0, "totalrequests": "0", "requestsrate": 0, "totalresponses": "0", "responsesrate": 0, "totalrequestbytes": "0", "requestbytesrate": 0, "totalresponsebytes": "0", "responsebytesrate": 0, "totalh2requests": "0", "h2requestsrate": 0, "totalh2responses": "0", "h2responsesrate": 0, "totalpktsrecvd": "0", "pktsrecvdrate": 0, "totalpktssent": "0", "pktssentrate": 0, "curclntconnections": "0", "cursrvrconnections": "0", "curpersistencesessions": "0", "curbackuppersistencesessions": "0", "surgecount": "0", "svcsurgecount": "0", "sothreshold": "0", "totspillovers": "0", "labelledconn": "0", "pushlabel": "0", "deferredreq": "0", "deferredreqrate": 0, "invalidrequestresponse": "0", "invalidrequestresponsedropped": "0", "totvserverdownbackuphits": "0", "curmptcpsessions": "0", "cursubflowconn": "0", "totalconnreassemblyqueue75": "0", "totalconnreassemblyqueueflush": "0", "totalsvrbusyerr": "0", "svrbusyerrrate": 0, "reqretrycount": "0", "reqretrycountexceeded": "0", "httpmaxhdrszpkts": "0", "httpmaxhdrfldlenpkts": "0", "tcpmaxooopkts": "0", "totcltttlbtransactions": "0", "cltttlbtransactionsrate": 0, "toleratingttlbtransactions": "0", "toleratingttlbtransactionsrate": 0, "frustratingttlbtransactions": "0", "frustratingttlbtransactionsrate": 0 } ] }

At first I thought that maybe Telegraf just won't accept code 201 as per #11134
so I tested new build #11472
but it still fails

[powersj]

Hi,

curl -ik https://netscaler/nitro/v1/config/login -X POST -H 'Content-Type: application/json' -d '{ "login" :{"username": "username", "password": "password"}}'
HTTP/1.1 201 Created

It does look like the system you are connecting to returns a 201, which will eventually require the fix in #11472. However, Telegraf is not getting that far and instead getting a 400 per your telegraf log. The Citrix ADC docs say the reason is in the body, so let's try to find out why.

I have put up #11482, which should have some artifacts attached shortly. Can you give that a try and see what the body says?

[SpiderD555]

Hi,

Same story with latest build (with more debug information this time):

Jul 11 08:59:54 localhost telegraf[2894337]: 2022-07-11T06:59:54Z E! [telegraf] Error running agent: could not initialize input inputs.http: cookie auth renewal received status code: 400 (Bad Request) - <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
Jul 11 08:59:54 localhost telegraf[2894337]: <html><head>
Jul 11 08:59:54 localhost telegraf[2894337]: <title>400 Bad Request</title>
Jul 11 08:59:54 localhost telegraf[2894337]: </head><body>
Jul 11 08:59:54 localhost telegraf[2894337]: <h1>Bad Request</h1>
Jul 11 08:59:54 localhost telegraf[2894337]: <p>Your browser sent a request that this server could not understand.<br />
Jul 11 08:59:54 localhost telegraf[2894337]: </p>
Jul 11 08:59:54 localhost telegraf[2894337]: </body></html>
Jul 11 08:59:54 localhost telegraf[2894337]: {"errorcode":-1,"message":"Invalid payload format. Default format is json","severity":"ERROR"}

Because of "Invalid payload format. Default format is json" I think we may need to see exactly what Telegraf is sending to Citrix ADC, to get to the root cause of the problem.

[powersj]

Thanks for trying that out!

We saw something similar in #11083 and learned that some devices are expected the content length and did not like a request formed by Go's NopCloser. Given this is for a request to generate a cookie, the request will not be huge, and there is no need to use the NopCloser.

I have pushed an update to the PR that will change the body to use a io.Reader over an io.ReadCloser and also print out some debug information before doing the request.

Can you give that update a shot once new artifacts are attached?

[SpiderD555]

I am not sure which artifact you are referring to. I tried this one: #11482

Anyway the result is following: Telegraf is not stopping, but I also don't see any data from the Citrix device in my InfluxDB instance (however I do get data from few test SNMP probes).
The only log I see is only this:

https://netscaler/nitro/v1/config/login
POST
map[Content-Type:[application/json]]

So far I didn't see any other connection attempts to Citrix in logs, so I assume that it authenticates successfully, but it is not sending any proper API calls to draw data.

Now the situation is getting a bit more interesting when I set cookie_auth_renewal = "5m"

I am getting inital session authentication, then Telegraf tries to renew the session with old session cookie (which I suppose it shouldn't as per the log):

Jul 12 12:03:27 localhost telegraf[2974996]: 2022-07-12T10:03:27Z D! [agent] Initializing plugins
Jul 12 12:03:27 localhost telegraf[2974996]: https://netscaler/nitro/v1/config/login
Jul 12 12:03:27 localhost telegraf[2974996]: POST
Jul 12 12:03:27 localhost telegraf[2974996]: map[Content-Type:[application/json]]

Jul 12 12:08:27 localhost telegraf[2974996]: https://netscaler/nitro/v1/config/login
Jul 12 12:08:27 localhost telegraf[2974996]: POST
Jul 12 12:08:27 localhost telegraf[2974996]: map[Content-Type:[application/json] Cookie:[sessionid=%23%238543669E93EC9727F77E001DCF46FF973974DCBD31F174C64A6DC
F2302E28B28E86C6B5B9867FD642CA6C2856D138218E78151433B843E4DF51D4BE87C5662B9B79495237AE13ECD4B6D8CF12553552D37AAD71F59BF3312878E8FB88E650928DADA7322F5DFE4BACC88713E0F5A29ADA1B52DD7D8386
E61F5FD2FE3A41D]]
Jul 12 12:08:27 localhost telegraf[2974996]: 2022-07-12T10:08:27Z E! [inputs.http] renewal failed for "https://netscaler/nitro/v1/c
onfig/login": cookie auth renewal received status code: 401 (Unauthorized) - { "errorcode": 354, "message": "Invalid username or password", "severity": "ERROR" }

Jul 12 12:13:27 localhost telegraf[2974996]: https://netscaler/nitro/v1/config/login
Jul 12 12:13:27 localhost telegraf[2974996]: POST
Jul 12 12:13:27 localhost telegraf[2974996]: map[Content-Type:[application/json] Cookie:[sessionid=%23%238543669E93EC9727F77E001DCF46FF973974DCBD31F174C64A6DC
F2302E28B28E86C6B5B9867FD642CA6C2856D138218E78151433B843E4DF51D4BE87C5662B9B79495237AE13ECD4B6D8CF12553552D37AAD71F59BF3312878E8FB88E650928DADA7322F5DFE4BACC88713E0F5A29ADA1B52DD7D8386
E61F5FD2FE3A41D]]
Jul 12 12:13:27 localhost telegraf[2974996]: 2022-07-12T10:13:27Z E! [inputs.http] renewal failed for "https://netscaler/nitro/v1/c
onfig/login": cookie auth renewal received status code: 401 (Unauthorized) - { "errorcode": 354, "message": "Invalid username or password", "severity": "ERROR" }

[powersj]

So far I didn't see any other connection attempts to Citrix in logs, so I assume that it authenticates successfully, but it is not sending any proper API calls to draw data.

It sounds like progress and indeed sounds like the Cirtix server was possibly expecting the content length similar to #11083.

I am getting inital session authentication, then Telegraf tries to renew the session with old session cookie (which I suppose it shouldn't as per the log):

Can you demonstrate a renewal with curl 1) with the cookie in the headers and 2) without the cookie in the headers, please? The 401 makes it pretty clear that the user credentials are wrong on renewal, so it seems unable to get a new cookie which is why the old cookie is used.

[SpiderD555]

Let me demonstrate 2)

curl -ik https://netscaler/nitro/v1/config/login -X POST -H 'Content-Type: application/json' -d '{ "login" :{"username": "username", "password": "password"}}'
HTTP/1.1 201 Created
Date: Wed, 13 Jul 2022 06:07:51 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Set-Cookie: SESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sessionid=%23%238F90C1B1BEE9369035623B2BFD6448F32C7F2EC3FDCFF3D81C5847DB174ADEA8EA277F4D6AC7695E37C829C5E0BA0675E81BD15DCC4C226CE3A4EAD38F64B40E4CD5C2623775D0A4070EEDA0434DB0657BAD7AED4933D57AC75B6790EF946F0F1FBE1A1D0C35F7E406D1C5FADD5242585B6163DC8E039EE19166F27F68A3; path=/nitro/v1
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 328
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE", "sessionid": "##8F90C1B1BEE9369035623B2BFD6448F32C7F2EC3FDCFF3D81C5847DB174ADEA8EA277F4D6AC7695E37C829C5E0BA0675E81BD15DCC4C226CE3A4EAD38F64B40E4CD5C2623775D0A4070EEDA0434DB0657BAD7AED4933D57AC75B6790EF946F0F1FBE1A1D0C35F7E406D1C5FADD5242585B6163DC8E039EE19166F27F68A3" }

=============================================

curl -ik https://netscaler/nitro/v1/stat/lbvserver -H 'Content-Type: application/json' --cookie "sessionid=%23%238F90C1B1BEE9369035623B2BFD6448F32C7F2EC3FDCFF3D81C5847DB174ADEA8EA277F4D6AC7695E37C829C5E0BA0675E81BD15DCC4C226CE3A4EAD38F64B40E4CD5C2623775D0A4070EEDA0434DB0657BAD7AED4933D57AC75B6790EF946F0F1FBE1A1D0C35F7E406D1C5FADD5242585B6163DC8E039EE19166F27F68A3; path=/nitro/v1"
HTTP/1.1 200 OK
Date: Wed, 13 Jul 2022 06:08:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 1640
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE", "lbvserver": [ { "name": "lb-test-ssl", "avgcltttlb": "0", "cltresponsetimeapdex": 1.000000, "vsvrsurgecount": "0", "establishedconn": "0", "inactsvcs": "0", "vslbhealth": "0", "primaryipaddress": "169.254.1.1", "primaryport": 443, "type": "SSL", "state": "DOWN", "actsvcs": "0", "cpuusagepm": "0", "tothits": "0", "hitsrate": 0, "totalrequests": "0", "requestsrate": 0, "totalresponses": "0", "responsesrate": 0, "totalrequestbytes": "0", "requestbytesrate": 0, "totalresponsebytes": "0", "responsebytesrate": 0, "totalh2requests": "0", "h2requestsrate": 0, "totalh2responses": "0", "h2responsesrate": 0, "totalpktsrecvd": "0", "pktsrecvdrate": 0, "totalpktssent": "0", "pktssentrate": 0, "curclntconnections": "0", "cursrvrconnections": "0", "curpersistencesessions": "0", "curbackuppersistencesessions": "0", "surgecount": "0", "svcsurgecount": "0", "sothreshold": "0", "totspillovers": "0", "labelledconn": "0", "pushlabel": "0", "deferredreq": "0", "deferredreqrate": 0, "invalidrequestresponse": "0", "invalidrequestresponsedropped": "0", "totvserverdownbackuphits": "0", "curmptcpsessions": "0", "cursubflowconn": "0", "totalconnreassemblyqueue75": "0", "totalconnreassemblyqueueflush": "0", "totalsvrbusyerr": "0", "svrbusyerrrate": 0, "reqretrycount": "0", "reqretrycountexceeded": "0", "httpmaxhdrszpkts": "0", "httpmaxhdrfldlenpkts": "0", "tcpmaxooopkts": "0", "totcltttlbtransactions": "0", "cltttlbtransactionsrate": 0, "toleratingttlbtransactions": "0", "toleratingttlbtransactionsrate": 0, "frustratingttlbtransactions": "0", "frustratingttlbtransactionsrate": 0 } ] }

=============================================

curl -ik https://netscaler/nitro/v1/config/login -X POST -H 'Content-Type: application/json' -d '{ "login" :{"username": "username", "password": "password"}}'
HTTP/1.1 201 Created
Date: Wed, 13 Jul 2022 06:09:37 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Set-Cookie: SESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sessionid=%23%2368BD0AF9A3A9134600B0C207E7EBED684541F64FF85884273CF676CB9D411DF693B4F1420EB77BE061F1D655C2486E025A05E26D14A513D1FBD6641D218F42EA9B8FB05619A2AD2715DD0A6AC95CCA11D44BD7B1A082095F84629C295542431A4DA9BC902A5762E60849037EEDD2EE4C9C0D05B8D600B9040822D6BEA804; path=/nitro/v1
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 328
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE", "sessionid": "##68BD0AF9A3A9134600B0C207E7EBED684541F64FF85884273CF676CB9D411DF693B4F1420EB77BE061F1D655C2486E025A05E26D14A513D1FBD6641D218F42EA9B8FB05619A2AD2715DD0A6AC95CCA11D44BD7B1A082095F84629C295542431A4DA9BC902A5762E60849037EEDD2EE4C9C0D05B8D600B9040822D6BEA804" }

=============================================

curl -ik https://netscaler/nitro/v1/stat/lbvserver -H 'Content-Type: application/json' --cookie "sessionid=%23%2368BD0AF9A3A9134600B0C207E7EBED684541F64FF85884273CF676CB9D411DF693B4F1420EB77BE061F1D655C2486E025A05E26D14A513D1FBD6641D218F42EA9B8FB05619A2AD2715DD0A6AC95CCA11D44BD7B1A082095F84629C295542431A4DA9BC902A5762E60849037EEDD2EE4C9C0D05B8D600B9040822D6BEA804; path=/nitro/v1"
HTTP/1.1 200 OK
Date: Wed, 13 Jul 2022 06:10:41 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'
Referrer-Policy: no-referrer
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Length: 1640
Content-Type: application/json; charset=utf-8

{ "errorcode": 0, "message": "Done", "severity": "NONE", "lbvserver": [ { "name": "lb-test-ssl", "avgcltttlb": "0", "cltresponsetimeapdex": 1.000000, "vsvrsurgecount": "0", "establishedconn": "0", "inactsvcs": "0", "vslbhealth": "0", "primaryipaddress": "169.254.1.1", "primaryport": 443, "type": "SSL", "state": "DOWN", "actsvcs": "0", "cpuusagepm": "0", "tothits": "0", "hitsrate": 0, "totalrequests": "0", "requestsrate": 0, "totalresponses": "0", "responsesrate": 0, "totalrequestbytes": "0", "requestbytesrate": 0, "totalresponsebytes": "0", "responsebytesrate": 0, "totalh2requests": "0", "h2requestsrate": 0, "totalh2responses": "0", "h2responsesrate": 0, "totalpktsrecvd": "0", "pktsrecvdrate": 0, "totalpktssent": "0", "pktssentrate": 0, "curclntconnections": "0", "cursrvrconnections": "0", "curpersistencesessions": "0", "curbackuppersistencesessions": "0", "surgecount": "0", "svcsurgecount": "0", "sothreshold": "0", "totspillovers": "0", "labelledconn": "0", "pushlabel": "0", "deferredreq": "0", "deferredreqrate": 0, "invalidrequestresponse": "0", "invalidrequestresponsedropped": "0", "totvserverdownbackuphits": "0", "curmptcpsessions": "0", "cursubflowconn": "0", "totalconnreassemblyqueue75": "0", "totalconnreassemblyqueueflush": "0", "totalsvrbusyerr": "0", "svrbusyerrrate": 0, "reqretrycount": "0", "reqretrycountexceeded": "0", "httpmaxhdrszpkts": "0", "httpmaxhdrfldlenpkts": "0", "tcpmaxooopkts": "0", "totcltttlbtransactions": "0", "cltttlbtransactionsrate": 0, "toleratingttlbtransactions": "0", "toleratingttlbtransactionsrate": 0, "frustratingttlbtransactions": "0", "frustratingttlbtransactionsrate": 0 } ] }

I think there is no such process to go with 1) method. Citrix ADC API documentation says you can logout/terminate a session using a cookie, but to initiate new session it is required to send login and password without previous session cookie. Old session will just time-out on Citrix ADC at some point of time. In the example above Curl does use a cookie to initiate a session SESSID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ but according to my knowledge setting cookie expiration date in the past is like saying it is expired/not for use.
Therefore each new session should be initiated from scratch in my humble opinion.