Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL NGINX reverse proxy configuration and CSRF attack

dasddd
Champ in-the-making
Champ in-the-making

‎05-19-2015 05:43 AM

Hi,

does anybody have a working configuration for nginx and/or alfresco, using https.

I cannot set up nginx and/or alfresco without prompting CSRF attack in Alfresco logs (cannot log in).

If i set
proxy_set_header Host $host;

the error is:

SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header 'https://ABC.ABC/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://ABC.ABC/share/page' vs server & context: http://ABC.COM/ (string) or  (regexp)] with root cause

without the proxy_set_header Host $host;

the error is

SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header 'https://ABC.ABC/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://ABC.ABC/share/page' vs server & context: http://localhostSmiley Tongueort/ (string) or  (regexp)] with root cause

tried
proxy_set_header Host $http_host;  same result as first error

tried proxy_set_header Host $host$uri;

i get the error

SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header 'https://ABC.ABC/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'https://ABC.ABC/share/page' vs server & context: http://ABC.ABC/share/page/dologin/ (string) or  (regexp)] with root cause


I circumvented the problem by telling NGINX to revirte all the headers in certain manner

proxy_set_header Referer http://ABC.COM:XXXX/;
proxy_set_header Origin http://ABC.COM:XXXX/;

I guess i am asking how to tell nginx to write "https://ABC.ABC/share/page" and not "http://ABC.ABC/"

I have:
Alfresco 5.0d
Windows server 2008 R2
Nginx 1.9


Labels:
0 Kudos
2 REPLIES 2

basti_g
Champ in-the-making
Champ in-the-making

‎05-20-2015 09:30 AM

I may be wrong but I think you're bypassing the CSRF protection entirely that way.

To answer your question: I'm running Alfresco with an Nginx SSL offloading proxy but I did not get it working using proxy_set_header directives either.

If you use your Tomcat for Alfresco only you may simply override the connector scheme in server.xml:

<Connector port="8080" protocol="org.apache.coyote.http11.Http11AprProtocol"
    connectionTimeout="20000" redirectPort="8443"
    scheme="https" proxyName="your-domain.com" proxyPort="443" />


Another option would be to point your nginx upstream resource to the https Tomcat connector on port 8443.
I just don't know how efficient that would be … performance should be better following the first approach.

Cheers,
Basti
0 Kudos

i2aml8
Champ in-the-making
Champ in-the-making

‎05-20-2015 07:56 PM

I took care of it by overriding. Attached is my share-config-custom.xml (replace my.site.com)
share-config-custom.xml__2.txt.zip
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC