AutoConfigBackup on 2.3.1



  • Hello,

    we had upgraded our pfsense to 2.3 and since this upgrade we can't pull backup-files (https://doc.pfsense.org/index.php/Remote_Config_Backup).
    I get the cookie- and csrf-token-information. But then when I try to download the xml-File I get a 403: Forbidden Error:

    /usr/bin/wget –keep-session-cookies --load-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate --post-data 'Submit=download&donotbackuprrd=yes' http://<ip>/diag_backup.php -O /opt/pfsense-backup/data/config-date +%Y%m%d.xml
    --2016-05-09 13:25:54--  http://<ip>/diag_backup.php
    Verbindungsaufbau zu <ip>:80... verbunden.
    HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
    2016-05-09 13:25:54 FEHLER 403: Forbidden.

    Before the update it worked.

    Our pfsense:
    Version 2.3-RELEASE (amd64)
    built on Mon Apr 11 18:10:34 CDT 2016
    FreeBSD 10.3-RELEASE
    (Intel(R) Atom(TM) CPU C2358 @ 1.74GHz )

    AutoConfigBackup: Version 1.45

    What can I do to work it again? Thanks.</ip></ip></ip>


  • Rebel Alliance Developer Netgate

    Check your script against the code on the wiki again and make sure it matches exactly. It was updated a few weeks ago so compare the code closely. The code on the wiki works, I've tested it quite a bit.



  • Thanks for the reply.

    The script matches exactly the code on the wiki. I can't see any differences:

    /usr/bin/wget -qO- –keep-session-cookies --save-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate http://<ip>/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > /opt/pfsense-backup/CSRF/csrf.txt

    Result: sid:f838ce72843ae08c4d9cb5a848e64beb0d4ae95a,1463559798;ip:236eda74838f1ea71c0b5d43efd038dab2ab3e62,1463559798

    /usr/bin/wget -qO- --keep-session-cookies --load-cookies /opt/pfsense-backup/cookies/cookies.txt  --save-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=<password>&__csrf_magic=$(cat /opt/pfsense-backup/CSRF/csrf.txt)" http://<ip>/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > /opt/pfsense-backup/CSRF/csrf2.txt

    Result: 4 Lines with: sid:f222de889f9384e93cf8fb4f0529d5f2fc60b29a,1463559815

    /usr/bin/wget --keep-session-cookies --load-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate --post-data 'Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 /opt/pfsense-backup/CSRF/csrf2.txt)' http://<ip>/diag_backup.php -O /opt/pfsense-backup/data/<name>pfsense/config<ip>-date +%Y%m%d.xml

    Result: --2016-05-18 10:24:14--  http://<ip>/diag_backup.php
    Verbindungsaufbau zu <ip>:80... verbunden.
    HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
    2016-05-18 10:24:14 FEHLER 403: Forbidden.

    On other pfsenses with Version 2.2.6 I can download the backup with this script. Only on pfsense with Version 2.3_1 I get this Error.</ip></ip></ip></name></ip></ip></password></ip>


  • Rebel Alliance Developer Netgate

    That does look OK, but the same exact code works here, so perhaps it's something specific to the config on that system.

    Can the 'admin' account actually access the diag_backup.php URL if you attempt to load that same URL in a web browser?



  • Yes, the admin account can access the URL in a browser.


Log in to reply