you need to add modrewrite and the rule to rewrite external_protocol_host_port to internal one and leave URL tail unchanged
On Wed, Jul 26, 2017 at 11:26 AM, Coscend@OM <[email protected]> wrote: > Dear Maxim and OpenMeetings Community, > > Just following up to see if anyone can provide us sample lines of a working > configuration of reverse proxy and rewrite rules to access OM 3.3.0 through a > proxy server. Relevant "CSRF+security headers+WebSockets" configuration of > Apache HTTPD or NGINX or any other Web server load balancer will help. We > will modify it to suit our load balancer. > > > We have added several of the following options, but OM is being blocked by > CSRF security header. > > We have added the following headers options to proxy: > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; style-src 'self' > 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' > Strict-Transport-Security: max-age=31536000; includeSubDomains; > preload > X-Frame-Options: DENY > X-XSS-Protection: 1; mode=block > > ---------------------- > Error Log details > ---------------------- > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - Possible > CSRF attack, request URL: > http://<IP:Port>/OpenMeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=8DD832BCCD2E87CA0AD618EBE6719340, > Origin: https://<FQDN.com>, action: aborted with error 400 Origin does not > correspond to request > > Thank you. > > Sincerely, > > Hemant K. Sabat > > Coscend Communications Solutions > www.Coscend.com > ------------------------------------------------------------------ > Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, > Telepresence Services, on the fly… > ------------------------------------------------------------------ > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages > from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Terms_and_Conditions.html > > -----Original Message----- > From: Coscend@OM [mailto:[email protected]] > Sent: Tuesday, July 25, 2017 9:31 AM > To: [email protected] > Subject: RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server > > Dear Maxim, > > As requested, moving this thread to user@ list. Would you be kind enough to > give a detailed working configuration (proxy and rewrite rules) to enable > 'CSRF+WebSockets' from your demo server? > > We have tried several options in configuration, but CSRF blocks the service. > > Thank you. > > Sincerely, > > Hemant K. Sabat > > Coscend Communications Solutions > www.Coscend.com > ------------------------------------------------------------------ > Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, > Telepresence Services, on the fly… > ------------------------------------------------------------------ > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages > from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Terms_and_Conditions.html > > > Sincerely > > > -----Original Message----- > From: Maxim Solodovnik [mailto:[email protected]] > Sent: Tuesday, July 25, 2017 12:08 AM > To: dev <[email protected]>; [email protected] > Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server > > Hello Hemant, > > CSRF works as expected on demo servers > > I believe you need to set up Rewrite rules in addition to proxy rules This > should do the trick :) > > On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <[email protected]> > wrote: > >> Dear OpenMeetings Developers, >> >> >> >> Congratulations on beefing up Web content security of OpenMeetings in >> 3.3.0, including XSS, CSRF and requests via security headers! >> >> >> >> Your guidance in the a reverse proxy scenario would be appreciated. >> >> >> >> In a reverse proxy use case, the origin site request is changed by the >> proxy server. That is, the IP and port of product's server is >> replaced with the proxy server's IP and port number. This will be >> perceived incorrectly as CSRF attack. Hence, it will be blocked by >> >> >> >> Application.java @ 151 >> >> ------------------------------ >> >> getRequestCycleListeners().add(new >> CsrfPreventionRequestCycleListener() { >> >> . >> >> }); @ 172 >> >> >> >> Would you provide us guidance on how to find a solution? >> >> (1) Temporary workaournd: How to disable CSRF feature so as to be able >> to >> access via proxy? (Removing lines 152-172 will give Java >> illegalArgumentException.) >> >> (2) Long-term: Have CSRF and access through proxy server >> >> >> >> Thank you. >> >> >> >> Sincerely, >> >> >> >> Hemant K. Sabat >> >> >> >> Coscend Communications Solutions >> >> <http://www.coscend.com/> www.Coscend.com >> >> ------------------------------------------------------------------ >> >> Real-time, Interactive Video Collaboration, Tele-healthcare, >> Tele-education, Telepresence Services, on the fly. >> >> ------------------------------------------------------------------ >> >> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail >> Messages from Coscend Communications Solutions' posted at: >> <http://www.coscend.com/Terms_and_Conditions.html> >> http://www.Coscend.com/Terms_and_Conditions.html >> >> >> >> >> >> >> >> >> >> >> >> >> >> --- >> This email has been checked for viruses by AVG. >> http://www.avg.com >> > > > > -- > WBR > Maxim aka solomax > > -- WBR Maxim aka solomax
