Fresh install of alfresco: CSRF problem

zerros · ‎2 Apr 2020

Hi,

I'm trying to setup an alfresco on docker. All components seems to work. I have followed this compose file:
https://github.com/Alfresco/acs-community-deployment/blob/master/docker-compose/docker-compose.yml

And I used this project to add volumes informations https://github.com/Alfresco/alfresco-docker-installer

In front of this stack, I have setup a haproxy which is listening on HTTPS and serve the certificate. If I try to log in using the public url, I am redirected to an error. In the logs of alfresco-share I can see a CSRF problem:

2020-04-01 22:50:38,427  ERROR [alfresco.web.site] [http-nio-8080-exec-4] javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://xxxxx/share/page/'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://xxxxxx/share/page/' vs server & context: http://xxxx/ (string) or  (regexp)

If I try to log in directly on the tomcat, no problem.

How could I add a HTTPS connector to the share container ? The tomcat on share container is listening on HTTP/8080.
I can't find any configuration for docker over the internet.

My config:

share:
    image: alfresco/alfresco-share:6.2.0
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 1024M
        reservations:
          cpus: '0.5'
          memory: 1024M 
    environment:
      REPO_HOST: "alfresco"
      REPO_PORT: "8080"
      JAVA_OPTS: "
        -Xms896m
        -Xmx896m
        -Dalfresco.host=localhost
        -Dalfresco.port=8080
        -Dalfresco.context=alfresco
        -Dalfresco.protocol=http"
    ports:
      - 8080:8080
    volumes:
      - /data/logs/share:/usr/local/tomcat/logs

Thanks for your help.

narkuss · ‎2 Apr 2020

Check this dockerfile to know how alfresco docker installer deals with share https.

narkuss · ‎2 Apr 2020

Check this dockerfile to know how alfresco docker installer deals with https

angelborroy · ‎2 Apr 2020

You can generate an SSL HTTP Web Proxy with https://github.com/Alfresco/alfresco-docker-installer

Why don't you try that and compare it with your configuration?

Hyland Developer Evangelist

zerros · ‎2 Apr 2020

@angelborroy , no need to generate a new web-proxy on the docker if I already have one with ssl terminaison in a DMZ network.

I'd like to secure all communications betweend networks with SSL, but I can't find anyting how to enable an HTTPS connector on the share module with docker. I have done this manually for my first install (generate a keystore and add a new connector to tomcat). But how should I do this with docker ??

Found how to activate CSRF with docker:

 share:
    image: alfresco/alfresco-share:6.2.0
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 1024M
        reservations:
          cpus: '0.5'
          memory: 1024M 
    environment:
      CSRF_FILTER_REFERER: "https://your.domain.com/.*"
      CSRF_FILTER_ORIGIN: "https://your.domain.com"
      REPO_HOST: "alfresco"
      REPO_PORT: "8080"
      JAVA_OPTS: "
        -Xms896m
        -Xmx896m
        -Dalfresco.host=localhost
        -Dalfresco.port=8080
        -Dalfresco.context=alfresco
        -Dalfresco.protocol=http"
    ports:
      - 8080:8080
    volumes:
      - /data/logs/share:/usr/local/tomcat/logs

Automatically there is a script in te share image that verify one of these two variables exists and do the replacement in the correctfile before starting the share module. I've put the two values car it is not working with juste one filled.