[jira] [Commented] (WICKET-6466) CSRF Prevention Configurations

[Maxim Solodovnik (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WICKET-6466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16161480#comment-16161480
 ] 

Maxim Solodovnik commented on WICKET-6466:
------------------------------------------

I believe this question should go to some nginx support forum.
You set up nginx as proxy, but it seems to me additional configuration is 
required.
maybe additional rewrite rule, you should enable very detailed nginx logs and 
check what is wrong

> CSRF Prevention Configurations
> ------------------------------
>
>                 Key: WICKET-6466
>                 URL: https://issues.apache.org/jira/browse/WICKET-6466
>             Project: Wicket
>          Issue Type: Improvement
>            Reporter: Darshit Patoliya
>
> Hi,
> I have used openmeeting in my application and running it on http protocol 
> behind nginx proxy, while my application is running on https protocol.
> When I am trying to open openmetting login page it will raise 400 error for 
> following requests.
> {panel:title=Browser Network Tab}
> https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
> https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha
> https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218&
> {panel}
> Following error logged in red5.log
> {panel:title=red5.log}
> 2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO  
> o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request 
> URL: 
> http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage,
>  Origin: https://xxx.com, action: aborted with error 400 Origin does not 
> correspond to request
> {panel}
> As per my limited knowledge and checking in to the code of wicket, I think it 
> is raising because of protocol mismatch between origin and request.
> Is there any configurations available in wicket to handle this scenario?
> FYI : This is my nginx settings for openmeeting, if I have miss something.
> {code:java}
> location /om/ {
>             proxy_set_header   X-Forwarded-Host $host;
>             proxy_set_header   Host             $host;
>             proxy_set_header   Upgrade          $http_upgrade;
>             proxy_pass_header X-CSRFToken;
>             proxy_pass http://127.0.0.1:5080/om/;
>             proxy_redirect default;
>         }
>         location /om/public/ {
>             alias /opt/om330/webapps/om/public/;
>         }
>         location /om/css/ {
>             alias /opt/om330/webapps/om/css/;
>         }
>         location /om/images/ {
>             alias /opt/om330/webapps/om/images/;
>         }
>         location /om/js/ {
>             alias /opt/om330/webapps/om/js/;
>         }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)