pfSense Support Subscription

Author Topic: webGUI based backup  (Read 649 times)

0 Members and 1 Guest are viewing this topic.

Offline alan.johnson

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
webGUI based backup
« on: April 19, 2016, 08:51:58 am »
I have used wget to backup the conifg.xml file for a handful of pfSense boxes connected via VPN.  A recent upgrade to 2.3 has caused those backups to fail.

wget -qO- --keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.0.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=012503&__csrf_magic=$(cat csrf.txt)" https://192.168.0.1/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" https://192.168.0.1/diag_backup.php -O config-router-corp-`date +%Y%m%d%H%M%S`.xml

Putting these in manually gives me this error on the last command.

--2016-04-19 09:33:59--  https://192.168.0.1/diag_backup.php
Connecting to 192.168.0.1:443... connected.
WARNING: The certificate of 192.168.0.1 is not trusted.
WARNING: The certificate of 192.168.0.1 hasn't got a known issuer.
The certificate's owner does not match hostname 192.168.0.1
HTTP request sent, awaiting response... 403 Forbidden
2016-04-19 09:33:59 ERROR 403: Forbidden.


I understand that the GUI has switched to nginx.  Does anyone have an updated method for grabbing the config remotely?

Thanks
Alan


 

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: webGUI based backup
« Reply #1 on: April 19, 2016, 02:17:02 pm »
This set of commands (from https://doc.pfsense.org/index.php/Remote_Config_Backup) works for me against a 2.3 box.

Code: [Select]
# wget -qO- --keep-session-cookies --save-cookies cookies.txt --no-check-certificate https://192.168.1.1/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
# wget -qO- --keep-session-cookies --load-cookies cookies.txt --save-cookies cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=pfsense&__csrf_magic=$(cat csrf.txt)" https://192.168.1.1/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
# wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 csrf2.txt)" https://192.168.1.1/diag_backup.php -O config-router-`date +%Y%m%d%H%M%S`.xml
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline alan.johnson

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: webGUI based backup
« Reply #2 on: April 19, 2016, 03:16:09 pm »
Thank you!

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: webGUI based backup
« Reply #3 on: April 19, 2016, 03:32:37 pm »
The main difference seems to be that yours has "$(cat csrf2.txt)" and mine has "$(head -n 1 csrf2.txt)", that second run can have multiple CSRF tokens in the HTML so it's best to only take one, or it can fail.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Vorkbaard

  • Jr. Member
  • **
  • Posts: 87
  • Karma: +0/-0
    • View Profile
Re: webGUI based backup
« Reply #4 on: November 28, 2017, 02:18:08 am »
Trying to get this to work on 2.4.2 but all I'm getting (using jimp's lines, adapted with my own credentials and addresses) is the php page again: it downloads the download php page. It creates the cookies and csrf files but no backup xml file.

Doesn't matter which user I use (admin or dedicated backup user). Fiddled around with the password (for testing now only using a simple word with no fancy characters). Wget doesn't generate any errors (because from its point of view everything is ok).

Any suggestions?