AnsweredAssumed Answered

SSL NGINX reverse proxy configuration and CSRF attack

Question asked by dasddd on May 19, 2015
Latest reply on May 21, 2015 by i2aml8
Hi,

does anybody have a working configuration for nginx and/or alfresco, using https.

I cannot set up nginx and/or alfresco without prompting CSRF attack in Alfresco logs (cannot log in).

If i set
proxy_set_header Host $host;

the error is:

SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header 'https://ABC.ABC/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://ABC.ABC/share/page' vs server & context: http://ABC.COM/ (string) or  (regexp)] with root cause

without the proxy_set_header Host $host;

the error is

SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header 'https://ABC.ABC/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://ABC.ABC/share/page' vs server & context: http://localhost:port/ (string) or  (regexp)] with root cause

tried
proxy_set_header Host $http_host;  same result as first error

tried proxy_set_header Host $host$uri;

i get the error

SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header 'https://ABC.ABC/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://ABC.ABC/share/page' vs server & context: http://ABC.ABC/share/page/dologin/ (string) or  (regexp)] with root cause


I circumvented the problem by telling NGINX to revirte all the headers in certain manner

proxy_set_header Referer http://ABC.COM:XXXX/;
proxy_set_header Origin http://ABC.COM:XXXX/;

I guess i am asking how to tell nginx to write "https://ABC.ABC/share/page" and not "http://ABC.ABC/"

I have:
Alfresco 5.0d
Windows server 2008 R2
Nginx 1.9


Outcomes