Hi,

I used
  -DGEOSERVER_CSRF_WHITELIST=localhost
(NOTE: no port #.  If you put a port# in - localhost:8111 - it will give
you errors)

This puts me in the same situation as before (i.e. when you save a
configuration change it does save but then logs you out).

Looking at the headers...

REQUEST:
http://localhost:8111/dave/web/;jsessionid=node01dcqivgqtv42m1wx5opwiziqxr11.node0?0

Headers;
     X-Forwarded-Host: localhost:8111
    X-Forwarded-For: ::1
    X-Forwarded-Server: localhost
    Host: localhost:8080

The only thing that looks a bit dodgy is the X-Forwarded-For: header....

Looking into it...

Dave

On Fri, Sep 30, 2022 at 12:55 AM Alessandro Parma <
alessandro.pa...@geosolutionsgroup.com> wrote:

> Hi Dave, Jody,
>
>
> I set -DGEOSERVER_CSRF_WHITELIST=gs-main.geosolutionsgroup.com
>
> Not sure where to configure the X-Forwarded-** headers.
>>
>
> I am not as familiar with Apache HTTP but there's a chance the headers are
> already there. Yes, you can enable headers logging directly in geoserver
>
> https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#enable-request-logging
>
> [image: image.png]
>
> [image: image.png]
>
> Alessandro
>
> On Fri, Sep 30, 2022 at 4:29 AM David Blasby <david.bla...@geocat.net>
> wrote:
>
>> Hi,
>>
>> I setup apache (localhost:8111) with this;
>>
>> ProxyPass "/dave/" "http://localhost:8080/geoserver/";
>> ProxyPassReverse "/dave/" "http://localhost:8080/geoserver/";
>>
>> This means that "localhost:8111/dave/web" takes me to the geoserver
>> homepage (running on localhost:8080).
>>
>> Inside geoserver, I set the proxy base url to "http://localhost:8111/dave
>> ".
>>
>> That's all the configuration I did - I'm not setting any "X-Forwarded-**
>> headers" (unless apache does that automatically).
>>
>> I found -
>> https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html
>>
>> I guess I have to set these somehow...
>>
>> Dave
>>
>>
>>
>> On Thu, Sep 29, 2022 at 11:41 AM Jody Garnett <jody.garn...@gmail.com>
>> wrote:
>>
>>> Alessandro:
>>>
>>> David was testing with the Proxy Base URL setting correctly.
>>>
>>> I am also trying to set up a test environment with apache with mod_proxy
>>> as per random blog post instructions (
>>> https://www.middlewareinventory.com/blog/docker-reverse-proxy-example/).
>>> But I don't really know what I am doing so it is unlikely to match your
>>> setup.
>>>
>>> Not sure where to configure the X-Forwarded-** headers.
>>>
>>> Did you need to configure
>>> https://docs.geoserver.org/stable/en/user/security/webadmin/csrf.html
>>> with GEOSERVER_CSRF_WHITELIST or GEOSERVER_CSRF_DISABLED?
>>> --
>>> Jody Garnett
>>>
>>>
>>> On Thu, 29 Sept 2022 at 07:01, Alessandro Parma <
>>> alessandro.pa...@geosolutionsgroup.com> wrote:
>>>
>>>> Hi David, andrea
>>>>
>>>> b) When I proxied geoserver, I couldn't save most configuration options
>>>>>> (i.e. change the logging profile)
>>>>>>       * it would give me a "Origin does not correspond to request"
>>>>>> error
>>>>>>       * others recommended setting "-DGEOSERVER_CSRF_DISABLED=true"
>>>>>>          + this worked, but now if I change the logging profile it
>>>>>> will log me out (but my changes were saved).
>>>>>> Hum... not sure, I'll inquire with Alessandro on how the proxying is
>>>>>> set up.
>>>>>
>>>>>
>>>> I understand this is an unrelated problem with your local environment
>>>> David. I suggest you check your PROXY_BASE_URL settings.
>>>>
>>>> In terms of proxy config there is nothing special honestly.. we're
>>>> using Nginx with an explicitly set PROXY_BASE_URL:
>>>>
>>>> [image: image.png]
>>>>
>>>> And we are passing the X-Forwarded-** headers from Nginx to GeoServer.
>>>> That info should be used by GeoServer to understand
>>>> what protocols and host are used by the user to connect to it.
>>>>
>>>> We can have a closer look but before we do that are you sure you cannot
>>>> reproduce it locally on an HTTPS setup?
>>>>
>>>> Thank you,
>>>> Alessandro
>>>>
>>>> On Thu, Sep 29, 2022 at 9:46 AM Andrea Aime <
>>>> andrea.a...@geosolutionsgroup.com> wrote:
>>>>
>>>>> On Thu, Sep 29, 2022 at 1:05 AM David Blasby <david.bla...@geocat.net>
>>>>> wrote:
>>>>>
>>>>>> Andrea,
>>>>>>
>>>>>> I tried to reproduce this and found some more issues;
>>>>>>
>>>>>> a) I couldn't "cd web/app; mvn jetty:run"
>>>>>>       * I get a nullpointerexception - likely because there's no
>>>>>> settings in global.xml
>>>>>>       * i used data/release and it worked fine
>>>>>>
>>>>>
>>>>> Uh yeah, this is bad... GeoServer should be able to start off a
>>>>> completely empty data directory (eventually
>>>>> with some warning). I thought we had a test to that effect, but I
>>>>> cannot find it...
>>>>>
>>>>>
>>>>>> b) When I proxied geoserver, I couldn't save most configuration
>>>>>> options (i.e. change the logging profile)
>>>>>>       * it would give me a "Origin does not correspond to request"
>>>>>> error
>>>>>>       * others recommended setting "-DGEOSERVER_CSRF_DISABLED=true"
>>>>>>          + this worked, but now if I change the logging profile it
>>>>>> will log me out (but my changes were saved).
>>>>>>
>>>>>
>>>>> Hum... not sure, I'll inquire with Alessandro on how the proxying is
>>>>> set up.
>>>>>
>>>>> Cheers
>>>>> Andrea
>>>>>
>>>>> ==
>>>>>
>>>>> GeoServer Professional Services from the experts!
>>>>>
>>>>> Visit http://bit.ly/gs-services-us for more information.
>>>>> ==
>>>>>
>>>>> Ing. Andrea Aime
>>>>> @geowolf
>>>>> Technical Lead
>>>>>
>>>>> GeoSolutions Group
>>>>> phone: +39 0584 962313
>>>>>
>>>>> fax:     +39 0584 1660272
>>>>>
>>>>> mob:   +39  339 8844549
>>>>>
>>>>> https://www.geosolutionsgroup.com/
>>>>>
>>>>> http://twitter.com/geosolutions_it
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>> Con riferimento alla normativa sul trattamento dei dati personali
>>>>> (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati 
>>>>> “GDPR”),
>>>>> si precisa che ogni circostanza inerente alla presente email (il suo
>>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
>>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
>>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
>>>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>>>>>
>>>>> This email is intended only for the person or entity to which it is
>>>>> addressed and may contain information that is privileged, confidential or
>>>>> otherwise protected from disclosure. We remind that - as provided by
>>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of 
>>>>> this
>>>>> e-mail or the information herein by anyone other than the intended
>>>>> recipient is prohibited. If you have received this email by mistake, 
>>>>> please
>>>>> notify us immediately by telephone or e-mail
>>>>> _______________________________________________
>>>>> Geoserver-devel mailing list
>>>>> Geoserver-devel@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Regards, Alessandro Parma == GeoServer Professional Services from the
>>>> experts! Visit http://goo.gl/it488V for more information. ==
>>>> Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A
>>>> 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272
>>>> https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it
>>>> ------------------------------------------------------- Con riferimento
>>>> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
>>>> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
>>>> circostanza inerente alla presente email (il suo contenuto, gli eventuali
>>>> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
>>>> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
>>>> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
>>>> sarei comunque grato se potesse darmene notizia. This email is intended
>>>> only for the person or entity to which it is addressed and may contain
>>>> information that is privileged, confidential or otherwise protected from
>>>> disclosure. We remind that - as provided by European Regulation 2016/679
>>>> “GDPR” - copying, dissemination or use of this e-mail or the information
>>>> herein by anyone other than the intended recipient is prohibited. If you
>>>> have received this email by mistake, please notify us immediately by
>>>> telephone or e-mail.
>>>> _______________________________________________
>>>> Geoserver-devel mailing list
>>>> Geoserver-devel@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>
>>> _______________________________________________
>>> Geoserver-devel mailing list
>>> Geoserver-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>
>>
>
> --
>
> Regards, Alessandro Parma == GeoServer Professional Services from the
> experts! Visit http://goo.gl/it488V for more information. == Alessandro
> Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054
> Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272
> https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it
> ------------------------------------------------------- Con riferimento
> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
> circostanza inerente alla presente email (il suo contenuto, gli eventuali
> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
> sarei comunque grato se potesse darmene notizia. This email is intended
> only for the person or entity to which it is addressed and may contain
> information that is privileged, confidential or otherwise protected from
> disclosure. We remind that - as provided by European Regulation 2016/679
> “GDPR” - copying, dissemination or use of this e-mail or the information
> herein by anyone other than the intended recipient is prohibited. If you
> have received this email by mistake, please notify us immediately by
> telephone or e-mail.
>
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to