Yes, you are right. This should be fixed. Currently I don't know why the host name doesn't match, but will try to reproduce. Had no reverse proxy environment to check this thoroughly. But that means I need to create a new version, right?
Cheers Martin Am 25. April 2017 09:51:06 MESZ schrieb Olivier Lamy <ol...@apache.org>: >Hi >Yes it's behind a reverse proxy >logs says > >2017-04-25 07:39:21,524 [qtp1564314458-63] WARN >org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor >[] - Referer Header Host does not match refererUrl= >https://archiva-repository.apache.org/archiva/index.html?request_lang=en, >targetUrl=http://archiva-repository.apache.org, >archiva-repository.apache.org > >The security.properties contains > >rest.baseUrl=https://archiva-repository.apache.org (I tried with https >as >well) > >The referer header has value: >https://archiva-repository.apache.org/archiva/index.html?request_lang=en > >Activating debug: > >2017-04-25 07:49:00,570 [qtp749705282-29] DEBUG >org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor >[] - Referer Header URL found: >https://archiva-repository.apache.org/archiva/index.html?request_lang=en > >2017-04-25 07:49:00,571 [qtp749705282-29] WARN >org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor >[] - Referer Header Host does not match refererUrl= >https://archiva-repository.apache.org/archiva/index.html?request_lang=en, >targetUrl=http://archiva-repository.apache.org, >archiva-repository.apache.org > >2017-04-25 07:49:00,571 [qtp749705282-29] WARN >org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor >[] - HTTP Header check failed. Assuming CSRF attack. > > >Well I can disable that but I'd like to not have too many users >complaining >:-) > >On 25 April 2017 at 16:54, Martin Stockhammer <marti...@apache.org> >wrote: > >> Hi, >> >> It's behind a reverse proxy or something similar? >> I think it's the request url. It is determined automatically. But you >can >> set a redback configuration property. >> In security.properties set >> rest.baseUrl=http://archiva-repository.apache.org >> >> Cheers >> >> Martin >> >> >> Am 25. April 2017 01:59:29 MESZ schrieb Olivier Lamy ><ol...@apache.org>: >>> >>> Hi Martin, >>> Thanks for your effort with the release!! >>> Works fine locally, all sigs are ok! >>> I installed the version for >https://archiva-repository.apache.org/archiva/ >>> but I have a problem as cannot log anymore because some REST >resources are >>> marked as 403. >>> In this particular case: >>> >https://archiva-repository.apache.org/archiva/restServices/archivaServices/commonServices/getAllI18nResources >>> Any idea? >>> >>> On 24 April 2017 at 05:01, Martin <marti...@apache.org> wrote: >>> >>> Hi, >>>> >>>> I think I now have everything ready and I'd like to release Apache >Archiva >>>> 2.2.2 >>>> >>>> Note this vote include some parent poms, and redback core. >>>> >>>> We fixed these issues: >>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa? >>>> projectId=12316920&version=12335832 >>>> >>>> The staging repository is available here: >>>> https://archiva-repository.apache.org/archiva/repository/ >>>> archiva-releases-stage/ >>>> >>>> Dist artifacts here: >https://dist.apache.org/repos/dist/dev/archiva/ >>>> >>>> Vote open for 72H >>>> [+1] >>>> [0] >>>> [-1] >>>> >>>> Greetings >>>> -- >>>> Martin Stockhammer >>> >>> >>> >>> >>> >> -- >> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. >> > > > >-- >Olivier Lamy >http://twitter.com/olamy | http://linkedin.com/in/olamy -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.