CODEWITHSUNDEEP
nginxwicketopenmeetings
Diksha
Diksha

Reputation: 474

Apache Openmeetings 5.0.0-M2 CSRF attack when using Nginx as proxypass

I am getting 400 error on login in openmeeting 5.0.0-M2, when I am using nginx.

My nginx configuration is as follows:

server {
listen 443 ssl;
ssl on;
ssl_certificate path_to_certificate;
ssl_certificate_key path_to_key;

server_name myservername;

location /openmeetings/ {
            proxy_pass http://127.0.0.1:5080/openmeetings/;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Referer 'http://$host/openmeetings/';
            proxy_set_header X-Real-IP $remote_addr;
        }

}

My log file:

CsrfPreventionRequestCycleListener:779 [nio-5080-exec-4]ESC[0;39m - Possible CSRF attack, request URL:
 http://ocean.paramatrix.com/openmeetings/wicket/bookmarkable/org.apache.openmee
tings.web.pages.HashPage, Origin: https://ocean.paramatrix.com, action: aborted 
with error 400 Origin does not correspond to request

while this is working fine on firefox browser but not on chrome browser.

Does anyone know, what other configurations I need to do? Any help is appreciated.

Upvotes: 4

Views: 623

Answers (2)

Nagesh Mhapadi
Nagesh Mhapadi

Reputation: 152

Openmeetings is running with ssl itself with 5443 port. you should try this:

proxy_pass http://127.0.0.1:5443/openmeetings/;

Upvotes: 0

martin-g
martin-g

Reputation: 17513

Try by making the Referer header HTTPS:

 proxy_set_header Referer 'https://$ho....

Upvotes: 0

Related Questions