RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server

Tue, 25 Jul 2017 21:28:00 -0700 

Dear Maxim and OpenMeetings Community,

Just following up to see if anyone can provide us sample lines of a working 
configuration of reverse proxy and rewrite rules to access OM 3.3.0 through a 
proxy server.  Relevant "CSRF+security headers+WebSockets" configuration of 
Apache HTTPD or NGINX or any other Web server load balancer will help.  We will 
modify it to suit our load balancer.


We have added several of the following options, but OM is being blocked by CSRF 
security header.

We have added the following headers options to proxy:
        X-Content-Type-Options:  nosniff
        Content-Security-Policy: default-src 'self'; style-src 'self' 
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
        Strict-Transport-Security:  max-age=31536000; includeSubDomains; preload
        X-Frame-Options: DENY                           
        X-XSS-Protection: 1; mode=block

----------------------
Error Log details
----------------------
org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - Possible 
CSRF attack, request URL: 
http://<IP:Port>/OpenMeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=8DD832BCCD2E87CA0AD618EBE6719340,
 Origin: https://<FQDN.com>, action: aborted with error 400 Origin does not 
correspond to request

Thank you.

Sincerely,

Hemant K. Sabat
 
Coscend Communications Solutions
www.Coscend.com 
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, 
Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages 
from Coscend Communications Solutions' posted at: 
http://www.Coscend.com/Terms_and_Conditions.html 

-----Original Message-----
From: Coscend@OM [mailto:[email protected]] 
Sent: Tuesday, July 25, 2017 9:31 AM
To: [email protected]
Subject: RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server

Dear Maxim,

As requested, moving this thread to user@ list.  Would you be kind enough to 
give a detailed working configuration (proxy and rewrite rules) to enable 
'CSRF+WebSockets' from your demo server?

We have tried several options in configuration, but CSRF blocks the service.

Thank you.

Sincerely,

Hemant K. Sabat
 
Coscend Communications Solutions
www.Coscend.com 
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, 
Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages 
from Coscend Communications Solutions' posted at: 
http://www.Coscend.com/Terms_and_Conditions.html 


Sincerely


-----Original Message-----
From: Maxim Solodovnik [mailto:[email protected]] 
Sent: Tuesday, July 25, 2017 12:08 AM
To: dev <[email protected]>; [email protected]
Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server

Hello Hemant,

CSRF works as expected on demo servers

I believe you need to set up Rewrite rules in addition to proxy rules This 
should do the trick :)

On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <[email protected]>
wrote:

> Dear OpenMeetings Developers,
>
>
>
> Congratulations on beefing up Web content security of OpenMeetings in 
> 3.3.0, including XSS, CSRF and requests via security headers!
>
>
>
> Your guidance in the a reverse proxy scenario would be appreciated.
>
>
>
> In a reverse proxy use case, the origin site request is changed by the 
> proxy server.  That is, the IP and port of product's server is 
> replaced with the proxy server's IP and port number.  This will be 
> perceived incorrectly as CSRF attack.  Hence, it will be blocked by
>
>
>
> Application.java @ 151
>
> ------------------------------
>
> getRequestCycleListeners().add(new 
> CsrfPreventionRequestCycleListener() {
>
> .
>
> }); @ 172
>
>
>
> Would you provide us guidance on how to find a solution?
>
> (1)   Temporary workaournd:  How to disable CSRF feature so as to be able
> to
> access via proxy?  (Removing lines 152-172 will give Java
> illegalArgumentException.)
>
> (2)   Long-term:  Have CSRF and access through proxy server
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
>  <http://www.coscend.com/> www.Coscend.com
>
> ------------------------------------------------------------------
>
> Real-time, Interactive Video Collaboration, Tele-healthcare, 
> Tele-education, Telepresence Services, on the fly.
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail 
> Messages from Coscend Communications Solutions' posted at:
> <http://www.coscend.com/Terms_and_Conditions.html>
> http://www.Coscend.com/Terms_and_Conditions.html
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>



--
WBR
Maxim aka solomax

Reply via email to