Csrfguard behind a reverse proxy

Question

Csrfguard behind a reverse proxy

I successfully installed CsrfGuard in my webapp, but when tested on preprod behind a reverse proxy server, all became ill. CsrfGuard javascript isValidDomain not think my domain is valid: CsrfGuard JavaScriptServlet returns invalid domain ...

This javascript code:

if(isValidDomain(document.domain, "myRealDomain")) { … }

isValidDomain - it's just a method of comparing the strings. The point is that the CsrfGuard JavaScriptServlet returns "myRealDomain", and the javascript code "document.domain" returns "myProxiedDomain": string comparison does not work!

I do not know what to do at this point, and I would be grateful for guidance! I believe that some of them have encountered the problem before, reverse proxies seem pretty common.

+7

java of web-applications reverse-proxy csrf

user3433684 Mar 18 '14 at 15:10

source share

4 answers

R. Oosterholt · Answer 1 · 2014-08-25T13:55:52+0000

you can configure your proxy to add headers X-Forwarded-By , X-Forwarded-For and X-Forwarded-Proto .

Your server is behind a proxy server can use these headers to restore the original request (as is done on the proxy server).

Thus, the csrfguard servlet will use the correct domain to generate the script.

The configuration, of course, is different for the proxy / application server, but here is an example for Nginx in combination with Tomcat:

EXAMPLE proxy configuration (Nginx):

 ### proxy headers ### proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; : $ server_port; ### proxy headers ### proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; ; ### proxy headers ### proxy_set_header X-Forwarded-By $server_addr:$server_port; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme;

an example of an application server (tomcat / RemoteIpValve ):

 <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="trusted-ip-here" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> " <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="trusted-ip-here" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> " <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="trusted-ip-here" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> " <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="trusted-ip-here" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

st0ne_c0ld · Answer 2 · 2016-09-14T23:56:12+0000

We had similar problems with csrfguard and found that our proxy server incorrectly returns the URL-address Referer. In addition to this, we used SSL, which added additional problems. We found that as soon as the connection was made, it was done using "domain.tld" instead of "domain.tld: 443", which was expected by csrfguard.

  Referer domain https://localhost/shop/pages/main.jsf does not match request domain: https://localhost:443/shop/JS/csrfguard.js

We fixed this by adding it in the apache httpd config:

 Header edit Referer "(^http(s?)://([\w]+\.){1}([\w]+\.?)+)(.*)$" "$1:443$5" RequestHeader edit Referer "(^http(s?)://([\w]+\.){1}([\w]+\.?)+)(.*)$" "$1:443$5" s):? // ([\ w] + \) { Header edit Referer "(^http(s?)://([\w]+\.){1}([\w]+\.?)+)(.*)$" "$1:443$5" RequestHeader edit Referer "(^http(s?)://([\w]+\.){1}([\w]+\.?)+)(.*)$" "$1:443$5" ) +..?) $ (*.)" "$ Header edit Referer "(^http(s?)://([\w]+\.){1}([\w]+\.?)+)(.*)$" "$1:443$5" RequestHeader edit Referer "(^http(s?)://([\w]+\.){1}([\w]+\.?)+)(.*)$" "$1:443$5"

Since all requests come from https, we recorded the presence of the port in the URI that. I believe that your case can be corrected in the same way or by setting the header "Referer" for a predefined name. (But this may be a security problem here, because all the requests will come from the "right" domain)

Goldfinger · Answer 3 · 2014-09-16T22:04:46+0000

I had a problem when launching csrfguard-3.1 for the reverse proxy and load balancer with SSL unloading JavaScriptServlet forced return 404. csrf magazine stated

"Domain address https: // ***** does not match the domain of inquiry http: // ******"

I had to install

 org.owasp.csrfguard.JavascriptServlet.refererMatchDomain=false

to make it work.

Susampath · Answer 4 · 2019-06-11T11:02:39+0000

Downgrade the java version to 1.8.0_144. If this does not work, go to this directory wso2Servers / wso2is-5.5.0 / repository / conf / security. Is the name of the file Owasp.CsrfGuard.Carbon.properties.

In this file there is a line

 org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = true

install it

 org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false

It worked for me.

Csrfguard behind a reverse proxy

More articles: