问题描述
我们正在使用nginx进行https流量卸载,代理到运行在端口8080上的本地安装的jasperserver(5.2).
We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.
internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver
直接在其端口上访问jasperserver时,一切都很好.通过nginx访问服务时,某些功能被破坏(例如,在jasperserver UI中编辑用户),并且jasperserver日志中包含以下条目:
When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:
CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
经过一些调试后,我们找到了原因:
After some debugging we found the cause for this:
在其标准配置中,nginx不会转发名称中包含下划线的请求标头.但是,Jasperserver(和OWASP框架)默认使用下划线传输csrf令牌(分别为JASPER_CSRF_TOKEN和OWASP_CSRFTOKEN).
In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN respectively).
解决方案之一:
-
nginx:在标头中使用下划线
nginx: allow underscores in headers
server {
...
underscores_in_headers on;
jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties也请参见此处:
- header variables go missing in production
- http://wiki.nginx.org/HttpCoreModule#underscores_in_headers
推荐答案
我自己回答了-希望这对其他人也有用
Answered it myself - hopefully this is of some use to others,too
这篇关于在Nginx后面运行jasperserver:潜在的CSRF攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!