stackoom
  简体   繁体   中英

Apache Openmeetings 5.0.0-M2 CSRF attack when using Nginx as proxypass

 原文  2019-09-13 11:51:31       nginx/ wicket/ openmeetings

Question

I am getting 400 error on login in openmeeting 5.0.0-M2, when I am using nginx.

My nginx configuration is as follows:

server {
listen 443 ssl;
ssl on;
ssl_certificate path_to_certificate;
ssl_certificate_key path_to_key;

server_name myservername;

location /openmeetings/ {
            proxy_pass http://127.0.0.1:5080/openmeetings/;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Referer 'http://$host/openmeetings/';
            proxy_set_header X-Real-IP $remote_addr;
        }

}

My log file:

CsrfPreventionRequestCycleListener:779 [nio-5080-exec-4]ESC[0;39m - Possible CSRF attack, request URL:
 http://ocean.paramatrix.com/openmeetings/wicket/bookmarkable/org.apache.openmee
tings.web.pages.HashPage, Origin: https://ocean.paramatrix.com, action: aborted 
with error 400 Origin does not correspond to request

while this is working fine on firefox browser but not on chrome browser.

Does anyone know, what other configurations I need to do? Any help is appreciated.

2 answers

solution1
 0  2019-09-14 04:49:59

尝试将 Referer 标头设为 HTTPS:

 proxy_set_header Referer 'https://$ho....

solution2
 0  2020-04-28 15:22:29

Openmeetings is running with ssl itself with 5443 port. you should try this:

proxy_pass http://127.0.0.1:5443/openmeetings/;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Apache discards ETag header when using Nginx in ProxyPass Running Apache OpenMeetings with Nginx Reverse Proxy? Having trouble connecting to Apache OpenMeetings through Nginx reverse proxy Running jasperserver behind nginx: Potential CSRF attack nginx proxyPass to prometheus using variable convert nginx conf to apache conf for proxypass Proxypass and reverse proxy from apache to nginx ProxyPass GET parameters via image using Nginx nginx proxypass TCP 389 Apache keep shutting down in front of nginx as reserve proxy (DDOS Attack)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM