Dear Maxim, As requested, moving this thread to user@ list. Would you be kind enough to give a detailed working configuration (proxy and rewrite rules) to enable 'CSRF+WebSockets' from your demo server?
We have tried several options in configuration, but CSRF blocks the service. Thank you. Sincerely, Hemant K. Sabat Coscend Communications Solutions www.Coscend.com ------------------------------------------------------------------ Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly… ------------------------------------------------------------------ CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html Sincerely -----Original Message----- From: Maxim Solodovnik [mailto:[email protected]] Sent: Tuesday, July 25, 2017 12:08 AM To: dev <[email protected]>; [email protected] Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server Hello Hemant, CSRF works as expected on demo servers I believe you need to set up Rewrite rules in addition to proxy rules This should do the trick :) On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <[email protected]> wrote: > Dear OpenMeetings Developers, > > > > Congratulations on beefing up Web content security of OpenMeetings in > 3.3.0, including XSS, CSRF and requests via security headers! > > > > Your guidance in the a reverse proxy scenario would be appreciated. > > > > In a reverse proxy use case, the origin site request is changed by the > proxy server. That is, the IP and port of product's server is > replaced with the proxy server's IP and port number. This will be > perceived incorrectly as CSRF attack. Hence, it will be blocked by > > > > Application.java @ 151 > > ------------------------------ > > getRequestCycleListeners().add(new > CsrfPreventionRequestCycleListener() { > > . > > }); @ 172 > > > > Would you provide us guidance on how to find a solution? > > (1) Temporary workaournd: How to disable CSRF feature so as to be able > to > access via proxy? (Removing lines 152-172 will give Java > illegalArgumentException.) > > (2) Long-term: Have CSRF and access through proxy server > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > <http://www.coscend.com/> www.Coscend.com > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly. > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > <http://www.coscend.com/Terms_and_Conditions.html> > http://www.Coscend.com/Terms_and_Conditions.html > > > > > > > > > > > > > > --- > This email has been checked for viruses by AVG. > http://www.avg.com > -- WBR Maxim aka solomax
