I'm glad you manage to set everything up :) On Fri, Jul 28, 2017 at 2:27 AM, Coscend@OM <[email protected]> wrote:
> Dear Maxim, > > Thank you for your guidance to rewrite rule. We have been able to > overcome CSRF attack block. > > Sincerely, > > Hemant K. Sabat > > Coscend Communications Solutions > www.Coscend.com > ------------------------------------------------------------------ > Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly… > ------------------------------------------------------------------ > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Terms_and_Conditions.html > > -----Original Message----- > From: Maxim Solodovnik [mailto:[email protected]] > Sent: Wednesday, July 26, 2017 12:40 AM > To: Openmeetings user-list <[email protected]>; > [email protected] > Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server > > you need to add modrewrite > and the rule to rewrite external_protocol_host_port to internal one and > leave URL tail unchanged > > On Wed, Jul 26, 2017 at 11:26 AM, Coscend@OM <[email protected]> > wrote: > > Dear Maxim and OpenMeetings Community, > > > > Just following up to see if anyone can provide us sample lines of a > working configuration of reverse proxy and rewrite rules to access OM 3.3.0 > through a proxy server. Relevant "CSRF+security headers+WebSockets" > configuration of Apache HTTPD or NGINX or any other Web server load > balancer will help. We will modify it to suit our load balancer. > > > > > > We have added several of the following options, but OM is being blocked > by CSRF security header. > > > > We have added the following headers options to proxy: > > X-Content-Type-Options: nosniff > > Content-Security-Policy: default-src 'self'; style-src 'self' > 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' > > Strict-Transport-Security: max-age=31536000; includeSubDomains; > preload > > X-Frame-Options: DENY > > X-XSS-Protection: 1; mode=block > > > > ---------------------- > > Error Log details > > ---------------------- > > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - > > Possible CSRF attack, request URL: > > http://<IP:Port>/OpenMeetings/wicket/bookmarkable/org.apache.openmeeti > > ngs.web.pages.auth.SignInPage;jsessionid=8DD832BCCD2E87CA0AD618EBE6719 > > 340, Origin: https://<FQDN.com>, action: aborted with error 400 Origin > > does not correspond to request > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > > Tele-education, Telepresence Services, on the fly… > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > > Messages from Coscend Communications Solutions' posted at: > > http://www.Coscend.com/Terms_and_Conditions.html > > > > -----Original Message----- > > From: Coscend@OM [mailto:[email protected]] > > Sent: Tuesday, July 25, 2017 9:31 AM > > To: [email protected] > > Subject: RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server > > > > Dear Maxim, > > > > As requested, moving this thread to user@ list. Would you be kind > enough to give a detailed working configuration (proxy and rewrite rules) > to enable 'CSRF+WebSockets' from your demo server? > > > > We have tried several options in configuration, but CSRF blocks the > service. > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com > > ------------------------------------------------------------------ > > Real-time, Interactive Video Collaboration, Tele-healthcare, > > Tele-education, Telepresence Services, on the fly… > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > > Messages from Coscend Communications Solutions' posted at: > > http://www.Coscend.com/Terms_and_Conditions.html > > > > > > Sincerely > > > > > > -----Original Message----- > > From: Maxim Solodovnik [mailto:[email protected]] > > Sent: Tuesday, July 25, 2017 12:08 AM > > To: dev <[email protected]>; [email protected] > > Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server > > > > Hello Hemant, > > > > CSRF works as expected on demo servers > > > > I believe you need to set up Rewrite rules in addition to proxy rules > > This should do the trick :) > > > > On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <[email protected]> > > wrote: > > > >> Dear OpenMeetings Developers, > >> > >> > >> > >> Congratulations on beefing up Web content security of OpenMeetings in > >> 3.3.0, including XSS, CSRF and requests via security headers! > >> > >> > >> > >> Your guidance in the a reverse proxy scenario would be appreciated. > >> > >> > >> > >> In a reverse proxy use case, the origin site request is changed by > >> the proxy server. That is, the IP and port of product's server is > >> replaced with the proxy server's IP and port number. This will be > >> perceived incorrectly as CSRF attack. Hence, it will be blocked by > >> > >> > >> > >> Application.java @ 151 > >> > >> ------------------------------ > >> > >> getRequestCycleListeners().add(new > >> CsrfPreventionRequestCycleListener() { > >> > >> . > >> > >> }); @ 172 > >> > >> > >> > >> Would you provide us guidance on how to find a solution? > >> > >> (1) Temporary workaournd: How to disable CSRF feature so as to be > able > >> to > >> access via proxy? (Removing lines 152-172 will give Java > >> illegalArgumentException.) > >> > >> (2) Long-term: Have CSRF and access through proxy server > >> > >> > >> > >> Thank you. > >> > >> > >> > >> Sincerely, > >> > >> > >> > >> Hemant K. Sabat > >> > >> > >> > >> Coscend Communications Solutions > >> > >> <http://www.coscend.com/> www.Coscend.com > >> > >> ------------------------------------------------------------------ > >> > >> Real-time, Interactive Video Collaboration, Tele-healthcare, > >> Tele-education, Telepresence Services, on the fly. > >> > >> ------------------------------------------------------------------ > >> > >> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > >> Messages from Coscend Communications Solutions' posted at: > >> <http://www.coscend.com/Terms_and_Conditions.html> > >> http://www.Coscend.com/Terms_and_Conditions.html > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> --- > >> This email has been checked for viruses by AVG. > >> http://www.avg.com > >> > > > > > > > > -- > > WBR > > Maxim aka solomax > > > > > > > > -- > WBR > Maxim aka solomax > > -- WBR Maxim aka solomax
