You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by "Coscend@OM" <OM...@Coscend.com> on 2017/07/25 14:30:47 UTC
RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Dear Maxim,
As requested, moving this thread to user@ list. Would you be kind enough to give a detailed working configuration (proxy and rewrite rules) to enable 'CSRF+WebSockets' from your demo server?
We have tried several options in configuration, but CSRF blocks the service.
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
Sincerely
-----Original Message-----
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Tuesday, July 25, 2017 12:08 AM
To: dev <de...@openmeetings.apache.org>; OM.Insights@coscend.com
Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Hello Hemant,
CSRF works as expected on demo servers
I believe you need to set up Rewrite rules in addition to proxy rules This should do the trick :)
On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <OM...@coscend.com>
wrote:
> Dear OpenMeetings Developers,
>
>
>
> Congratulations on beefing up Web content security of OpenMeetings in
> 3.3.0, including XSS, CSRF and requests via security headers!
>
>
>
> Your guidance in the a reverse proxy scenario would be appreciated.
>
>
>
> In a reverse proxy use case, the origin site request is changed by the
> proxy server. That is, the IP and port of product's server is
> replaced with the proxy server's IP and port number. This will be
> perceived incorrectly as CSRF attack. Hence, it will be blocked by
>
>
>
> Application.java @ 151
>
> ------------------------------
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener() {
>
> .
>
> }); @ 172
>
>
>
> Would you provide us guidance on how to find a solution?
>
> (1) Temporary workaournd: How to disable CSRF feature so as to be able
> to
> access via proxy? (Removing lines 152-172 will give Java
> illegalArgumentException.)
>
> (2) Long-term: Have CSRF and access through proxy server
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> <http://www.coscend.com/> www.Coscend.com
>
> ------------------------------------------------------------------
>
> Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly.
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> <http://www.coscend.com/Terms_and_Conditions.html>
> http://www.Coscend.com/Terms_and_Conditions.html
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>
--
WBR
Maxim aka solomax
Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Posted by Maxim Solodovnik <so...@gmail.com>.
I'm glad you manage to set everything up :)
On Fri, Jul 28, 2017 at 2:27 AM, Coscend@OM <OM...@coscend.com> wrote:
> Dear Maxim,
>
> Thank you for your guidance to rewrite rule. We have been able to
> overcome CSRF attack block.
>
> Sincerely,
>
> Hemant K. Sabat
>
> Coscend Communications Solutions
> www.Coscend.com
> ------------------------------------------------------------------
> Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…
> ------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
>
> -----Original Message-----
> From: Maxim Solodovnik [mailto:solomax666@gmail.com]
> Sent: Wednesday, July 26, 2017 12:40 AM
> To: Openmeetings user-list <us...@openmeetings.apache.org>;
> OM.Insights@coscend.com
> Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
>
> you need to add modrewrite
> and the rule to rewrite external_protocol_host_port to internal one and
> leave URL tail unchanged
>
> On Wed, Jul 26, 2017 at 11:26 AM, Coscend@OM <OM...@coscend.com>
> wrote:
> > Dear Maxim and OpenMeetings Community,
> >
> > Just following up to see if anyone can provide us sample lines of a
> working configuration of reverse proxy and rewrite rules to access OM 3.3.0
> through a proxy server. Relevant "CSRF+security headers+WebSockets"
> configuration of Apache HTTPD or NGINX or any other Web server load
> balancer will help. We will modify it to suit our load balancer.
> >
> >
> > We have added several of the following options, but OM is being blocked
> by CSRF security header.
> >
> > We have added the following headers options to proxy:
> > X-Content-Type-Options: nosniff
> > Content-Security-Policy: default-src 'self'; style-src 'self'
> 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
> > Strict-Transport-Security: max-age=31536000; includeSubDomains;
> preload
> > X-Frame-Options: DENY
> > X-XSS-Protection: 1; mode=block
> >
> > ----------------------
> > Error Log details
> > ----------------------
> > org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
> > Possible CSRF attack, request URL:
> > http://<IP:Port>/OpenMeetings/wicket/bookmarkable/org.apache.openmeeti
> > ngs.web.pages.auth.SignInPage;jsessionid=8DD832BCCD2E87CA0AD618EBE6719
> > 340, Origin: https://<FQDN.com>, action: aborted with error 400 Origin
> > does not correspond to request
> >
> > Thank you.
> >
> > Sincerely,
> >
> > Hemant K. Sabat
> >
> > Coscend Communications Solutions
> > www.Coscend.com
> > ------------------------------------------------------------------
> > Real-time, Interactive Video Collaboration, Tele-healthcare,
> > Tele-education, Telepresence Services, on the fly…
> > ------------------------------------------------------------------
> > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> > Messages from Coscend Communications Solutions' posted at:
> > http://www.Coscend.com/Terms_and_Conditions.html
> >
> > -----Original Message-----
> > From: Coscend@OM [mailto:OM.Insights@Coscend.com]
> > Sent: Tuesday, July 25, 2017 9:31 AM
> > To: user@openmeetings.apache.org
> > Subject: RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server
> >
> > Dear Maxim,
> >
> > As requested, moving this thread to user@ list. Would you be kind
> enough to give a detailed working configuration (proxy and rewrite rules)
> to enable 'CSRF+WebSockets' from your demo server?
> >
> > We have tried several options in configuration, but CSRF blocks the
> service.
> >
> > Thank you.
> >
> > Sincerely,
> >
> > Hemant K. Sabat
> >
> > Coscend Communications Solutions
> > www.Coscend.com
> > ------------------------------------------------------------------
> > Real-time, Interactive Video Collaboration, Tele-healthcare,
> > Tele-education, Telepresence Services, on the fly…
> > ------------------------------------------------------------------
> > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> > Messages from Coscend Communications Solutions' posted at:
> > http://www.Coscend.com/Terms_and_Conditions.html
> >
> >
> > Sincerely
> >
> >
> > -----Original Message-----
> > From: Maxim Solodovnik [mailto:solomax666@gmail.com]
> > Sent: Tuesday, July 25, 2017 12:08 AM
> > To: dev <de...@openmeetings.apache.org>; OM.Insights@coscend.com
> > Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
> >
> > Hello Hemant,
> >
> > CSRF works as expected on demo servers
> >
> > I believe you need to set up Rewrite rules in addition to proxy rules
> > This should do the trick :)
> >
> > On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <OM...@coscend.com>
> > wrote:
> >
> >> Dear OpenMeetings Developers,
> >>
> >>
> >>
> >> Congratulations on beefing up Web content security of OpenMeetings in
> >> 3.3.0, including XSS, CSRF and requests via security headers!
> >>
> >>
> >>
> >> Your guidance in the a reverse proxy scenario would be appreciated.
> >>
> >>
> >>
> >> In a reverse proxy use case, the origin site request is changed by
> >> the proxy server. That is, the IP and port of product's server is
> >> replaced with the proxy server's IP and port number. This will be
> >> perceived incorrectly as CSRF attack. Hence, it will be blocked by
> >>
> >>
> >>
> >> Application.java @ 151
> >>
> >> ------------------------------
> >>
> >> getRequestCycleListeners().add(new
> >> CsrfPreventionRequestCycleListener() {
> >>
> >> .
> >>
> >> }); @ 172
> >>
> >>
> >>
> >> Would you provide us guidance on how to find a solution?
> >>
> >> (1) Temporary workaournd: How to disable CSRF feature so as to be
> able
> >> to
> >> access via proxy? (Removing lines 152-172 will give Java
> >> illegalArgumentException.)
> >>
> >> (2) Long-term: Have CSRF and access through proxy server
> >>
> >>
> >>
> >> Thank you.
> >>
> >>
> >>
> >> Sincerely,
> >>
> >>
> >>
> >> Hemant K. Sabat
> >>
> >>
> >>
> >> Coscend Communications Solutions
> >>
> >> <http://www.coscend.com/> www.Coscend.com
> >>
> >> ------------------------------------------------------------------
> >>
> >> Real-time, Interactive Video Collaboration, Tele-healthcare,
> >> Tele-education, Telepresence Services, on the fly.
> >>
> >> ------------------------------------------------------------------
> >>
> >> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> >> Messages from Coscend Communications Solutions' posted at:
> >> <http://www.coscend.com/Terms_and_Conditions.html>
> >> http://www.Coscend.com/Terms_and_Conditions.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ---
> >> This email has been checked for viruses by AVG.
> >> http://www.avg.com
> >>
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
> >
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>
>
--
WBR
Maxim aka solomax
RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Posted by "Coscend@OM" <OM...@Coscend.com>.
Dear Maxim,
Thank you for your guidance to rewrite rule. We have been able to overcome CSRF attack block.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
-----Original Message-----
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Wednesday, July 26, 2017 12:40 AM
To: Openmeetings user-list <us...@openmeetings.apache.org>; OM.Insights@coscend.com
Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
you need to add modrewrite
and the rule to rewrite external_protocol_host_port to internal one and leave URL tail unchanged
On Wed, Jul 26, 2017 at 11:26 AM, Coscend@OM <OM...@coscend.com> wrote:
> Dear Maxim and OpenMeetings Community,
>
> Just following up to see if anyone can provide us sample lines of a working configuration of reverse proxy and rewrite rules to access OM 3.3.0 through a proxy server. Relevant "CSRF+security headers+WebSockets" configuration of Apache HTTPD or NGINX or any other Web server load balancer will help. We will modify it to suit our load balancer.
>
>
> We have added several of the following options, but OM is being blocked by CSRF security header.
>
> We have added the following headers options to proxy:
> X-Content-Type-Options: nosniff
> Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
> Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
>
> ----------------------
> Error Log details
> ----------------------
> org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener -
> Possible CSRF attack, request URL:
> http://<IP:Port>/OpenMeetings/wicket/bookmarkable/org.apache.openmeeti
> ngs.web.pages.auth.SignInPage;jsessionid=8DD832BCCD2E87CA0AD618EBE6719
> 340, Origin: https://<FQDN.com>, action: aborted with error 400 Origin
> does not correspond to request
>
> Thank you.
>
> Sincerely,
>
> Hemant K. Sabat
>
> Coscend Communications Solutions
> www.Coscend.com
> ------------------------------------------------------------------
> Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…
> ------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
>
> -----Original Message-----
> From: Coscend@OM [mailto:OM.Insights@Coscend.com]
> Sent: Tuesday, July 25, 2017 9:31 AM
> To: user@openmeetings.apache.org
> Subject: RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server
>
> Dear Maxim,
>
> As requested, moving this thread to user@ list. Would you be kind enough to give a detailed working configuration (proxy and rewrite rules) to enable 'CSRF+WebSockets' from your demo server?
>
> We have tried several options in configuration, but CSRF blocks the service.
>
> Thank you.
>
> Sincerely,
>
> Hemant K. Sabat
>
> Coscend Communications Solutions
> www.Coscend.com
> ------------------------------------------------------------------
> Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly…
> ------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> http://www.Coscend.com/Terms_and_Conditions.html
>
>
> Sincerely
>
>
> -----Original Message-----
> From: Maxim Solodovnik [mailto:solomax666@gmail.com]
> Sent: Tuesday, July 25, 2017 12:08 AM
> To: dev <de...@openmeetings.apache.org>; OM.Insights@coscend.com
> Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
>
> Hello Hemant,
>
> CSRF works as expected on demo servers
>
> I believe you need to set up Rewrite rules in addition to proxy rules
> This should do the trick :)
>
> On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <OM...@coscend.com>
> wrote:
>
>> Dear OpenMeetings Developers,
>>
>>
>>
>> Congratulations on beefing up Web content security of OpenMeetings in
>> 3.3.0, including XSS, CSRF and requests via security headers!
>>
>>
>>
>> Your guidance in the a reverse proxy scenario would be appreciated.
>>
>>
>>
>> In a reverse proxy use case, the origin site request is changed by
>> the proxy server. That is, the IP and port of product's server is
>> replaced with the proxy server's IP and port number. This will be
>> perceived incorrectly as CSRF attack. Hence, it will be blocked by
>>
>>
>>
>> Application.java @ 151
>>
>> ------------------------------
>>
>> getRequestCycleListeners().add(new
>> CsrfPreventionRequestCycleListener() {
>>
>> .
>>
>> }); @ 172
>>
>>
>>
>> Would you provide us guidance on how to find a solution?
>>
>> (1) Temporary workaournd: How to disable CSRF feature so as to be able
>> to
>> access via proxy? (Removing lines 152-172 will give Java
>> illegalArgumentException.)
>>
>> (2) Long-term: Have CSRF and access through proxy server
>>
>>
>>
>> Thank you.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Hemant K. Sabat
>>
>>
>>
>> Coscend Communications Solutions
>>
>> <http://www.coscend.com/> www.Coscend.com
>>
>> ------------------------------------------------------------------
>>
>> Real-time, Interactive Video Collaboration, Tele-healthcare,
>> Tele-education, Telepresence Services, on the fly.
>>
>> ------------------------------------------------------------------
>>
>> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
>> Messages from Coscend Communications Solutions' posted at:
>> <http://www.coscend.com/Terms_and_Conditions.html>
>> http://www.Coscend.com/Terms_and_Conditions.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---
>> This email has been checked for viruses by AVG.
>> http://www.avg.com
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>
>
--
WBR
Maxim aka solomax
Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Posted by Maxim Solodovnik <so...@gmail.com>.
you need to add modrewrite
and the rule to rewrite external_protocol_host_port to internal one
and leave URL tail unchanged
On Wed, Jul 26, 2017 at 11:26 AM, Coscend@OM <OM...@coscend.com> wrote:
> Dear Maxim and OpenMeetings Community,
>
> Just following up to see if anyone can provide us sample lines of a working configuration of reverse proxy and rewrite rules to access OM 3.3.0 through a proxy server. Relevant "CSRF+security headers+WebSockets" configuration of Apache HTTPD or NGINX or any other Web server load balancer will help. We will modify it to suit our load balancer.
>
>
> We have added several of the following options, but OM is being blocked by CSRF security header.
>
> We have added the following headers options to proxy:
> X-Content-Type-Options: nosniff
> Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
> Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
>
> ----------------------
> Error Log details
> ----------------------
> org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://<IP:Port>/OpenMeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=8DD832BCCD2E87CA0AD618EBE6719340, Origin: https://<FQDN.com>, action: aborted with error 400 Origin does not correspond to request
>
> Thank you.
>
> Sincerely,
>
> Hemant K. Sabat
>
> Coscend Communications Solutions
> www.Coscend.com
> ------------------------------------------------------------------
> Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
> ------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
>
> -----Original Message-----
> From: Coscend@OM [mailto:OM.Insights@Coscend.com]
> Sent: Tuesday, July 25, 2017 9:31 AM
> To: user@openmeetings.apache.org
> Subject: RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server
>
> Dear Maxim,
>
> As requested, moving this thread to user@ list. Would you be kind enough to give a detailed working configuration (proxy and rewrite rules) to enable 'CSRF+WebSockets' from your demo server?
>
> We have tried several options in configuration, but CSRF blocks the service.
>
> Thank you.
>
> Sincerely,
>
> Hemant K. Sabat
>
> Coscend Communications Solutions
> www.Coscend.com
> ------------------------------------------------------------------
> Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
> ------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
>
>
> Sincerely
>
>
> -----Original Message-----
> From: Maxim Solodovnik [mailto:solomax666@gmail.com]
> Sent: Tuesday, July 25, 2017 12:08 AM
> To: dev <de...@openmeetings.apache.org>; OM.Insights@coscend.com
> Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
>
> Hello Hemant,
>
> CSRF works as expected on demo servers
>
> I believe you need to set up Rewrite rules in addition to proxy rules This should do the trick :)
>
> On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <OM...@coscend.com>
> wrote:
>
>> Dear OpenMeetings Developers,
>>
>>
>>
>> Congratulations on beefing up Web content security of OpenMeetings in
>> 3.3.0, including XSS, CSRF and requests via security headers!
>>
>>
>>
>> Your guidance in the a reverse proxy scenario would be appreciated.
>>
>>
>>
>> In a reverse proxy use case, the origin site request is changed by the
>> proxy server. That is, the IP and port of product's server is
>> replaced with the proxy server's IP and port number. This will be
>> perceived incorrectly as CSRF attack. Hence, it will be blocked by
>>
>>
>>
>> Application.java @ 151
>>
>> ------------------------------
>>
>> getRequestCycleListeners().add(new
>> CsrfPreventionRequestCycleListener() {
>>
>> .
>>
>> }); @ 172
>>
>>
>>
>> Would you provide us guidance on how to find a solution?
>>
>> (1) Temporary workaournd: How to disable CSRF feature so as to be able
>> to
>> access via proxy? (Removing lines 152-172 will give Java
>> illegalArgumentException.)
>>
>> (2) Long-term: Have CSRF and access through proxy server
>>
>>
>>
>> Thank you.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Hemant K. Sabat
>>
>>
>>
>> Coscend Communications Solutions
>>
>> <http://www.coscend.com/> www.Coscend.com
>>
>> ------------------------------------------------------------------
>>
>> Real-time, Interactive Video Collaboration, Tele-healthcare,
>> Tele-education, Telepresence Services, on the fly.
>>
>> ------------------------------------------------------------------
>>
>> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
>> Messages from Coscend Communications Solutions' posted at:
>> <http://www.coscend.com/Terms_and_Conditions.html>
>> http://www.Coscend.com/Terms_and_Conditions.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---
>> This email has been checked for viruses by AVG.
>> http://www.avg.com
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>
>
--
WBR
Maxim aka solomax
RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Posted by "Coscend@OM" <OM...@Coscend.com>.
Dear Maxim and OpenMeetings Community,
Just following up to see if anyone can provide us sample lines of a working configuration of reverse proxy and rewrite rules to access OM 3.3.0 through a proxy server. Relevant "CSRF+security headers+WebSockets" configuration of Apache HTTPD or NGINX or any other Web server load balancer will help. We will modify it to suit our load balancer.
We have added several of the following options, but OM is being blocked by CSRF security header.
We have added the following headers options to proxy:
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
----------------------
Error Log details
----------------------
org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://<IP:Port>/OpenMeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage;jsessionid=8DD832BCCD2E87CA0AD618EBE6719340, Origin: https://<FQDN.com>, action: aborted with error 400 Origin does not correspond to request
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
-----Original Message-----
From: Coscend@OM [mailto:OM.Insights@Coscend.com]
Sent: Tuesday, July 25, 2017 9:31 AM
To: user@openmeetings.apache.org
Subject: RE: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Dear Maxim,
As requested, moving this thread to user@ list. Would you be kind enough to give a detailed working configuration (proxy and rewrite rules) to enable 'CSRF+WebSockets' from your demo server?
We have tried several options in configuration, but CSRF blocks the service.
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education, Telepresence Services, on the fly…
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail Messages from Coscend Communications Solutions' posted at: http://www.Coscend.com/Terms_and_Conditions.html
Sincerely
-----Original Message-----
From: Maxim Solodovnik [mailto:solomax666@gmail.com]
Sent: Tuesday, July 25, 2017 12:08 AM
To: dev <de...@openmeetings.apache.org>; OM.Insights@coscend.com
Subject: Re: OM 3.3.0: CSRF Solution via Reverse Proxy Server
Hello Hemant,
CSRF works as expected on demo servers
I believe you need to set up Rewrite rules in addition to proxy rules This should do the trick :)
On Tue, Jul 25, 2017 at 11:58 AM, Coscend@OM <OM...@coscend.com>
wrote:
> Dear OpenMeetings Developers,
>
>
>
> Congratulations on beefing up Web content security of OpenMeetings in
> 3.3.0, including XSS, CSRF and requests via security headers!
>
>
>
> Your guidance in the a reverse proxy scenario would be appreciated.
>
>
>
> In a reverse proxy use case, the origin site request is changed by the
> proxy server. That is, the IP and port of product's server is
> replaced with the proxy server's IP and port number. This will be
> perceived incorrectly as CSRF attack. Hence, it will be blocked by
>
>
>
> Application.java @ 151
>
> ------------------------------
>
> getRequestCycleListeners().add(new
> CsrfPreventionRequestCycleListener() {
>
> .
>
> }); @ 172
>
>
>
> Would you provide us guidance on how to find a solution?
>
> (1) Temporary workaournd: How to disable CSRF feature so as to be able
> to
> access via proxy? (Removing lines 152-172 will give Java
> illegalArgumentException.)
>
> (2) Long-term: Have CSRF and access through proxy server
>
>
>
> Thank you.
>
>
>
> Sincerely,
>
>
>
> Hemant K. Sabat
>
>
>
> Coscend Communications Solutions
>
> <http://www.coscend.com/> www.Coscend.com
>
> ------------------------------------------------------------------
>
> Real-time, Interactive Video Collaboration, Tele-healthcare,
> Tele-education, Telepresence Services, on the fly.
>
> ------------------------------------------------------------------
>
> CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
> Messages from Coscend Communications Solutions' posted at:
> <http://www.coscend.com/Terms_and_Conditions.html>
> http://www.Coscend.com/Terms_and_Conditions.html
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---
> This email has been checked for viruses by AVG.
> http://www.avg.com
>
--
WBR
Maxim aka solomax