Apache Openmeetings 5.0.0-M2 CSRF attack when using Nginx as proxypass

Question

I am getting 400 error on login in openmeeting 5.0.0-M2, when I am using nginx.

My nginx configuration is as follows:

server {
listen 443 ssl;
ssl on;
ssl_certificate path_to_certificate;
ssl_certificate_key path_to_key;

server_name myservername;

location /openmeetings/ {
            proxy_pass http://127.0.0.1:5080/openmeetings/;
            proxy_set_header Host $host;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Referer 'http://$host/openmeetings/';
            proxy_set_header X-Real-IP $remote_addr;
        }

}

My log file:

CsrfPreventionRequestCycleListener:779 [nio-5080-exec-4]ESC[0;39m - Possible CSRF attack, request URL:
 http://ocean.paramatrix.com/openmeetings/wicket/bookmarkable/org.apache.openmee
tings.web.pages.HashPage, Origin: https://ocean.paramatrix.com, action: aborted 
with error 400 Origin does not correspond to request

while this is working fine on firefox browser but not on chrome browser.

Does anyone know, what other configurations I need to do? Any help is appreciated.

score 0 · Answer 1 · answered Sep 14 '19 at 04:49

0

Try by making the Referer header HTTPS:

 proxy_set_header Referer 'https://$ho....

answered Sep 14 '19 at 04:49

martin-g

17,243
2
23
35

score 0 · Answer 2 · answered Apr 28 '20 at 15:22

0

Openmeetings is running with ssl itself with 5443 port. you should try this:

proxy_pass http://127.0.0.1:5443/openmeetings/;

answered Apr 28 '20 at 15:22

Nagesh Mhapadi

152
3
14

Apache Openmeetings 5.0.0-M2 CSRF attack when using Nginx as proxypass

2 Answers2