Hi, I used -DGEOSERVER_CSRF_WHITELIST=localhost (NOTE: no port #. If you put a port# in - localhost:8111 - it will give you errors)
This puts me in the same situation as before (i.e. when you save a configuration change it does save but then logs you out). Looking at the headers... REQUEST: http://localhost:8111/dave/web/;jsessionid=node01dcqivgqtv42m1wx5opwiziqxr11.node0?0 Headers; X-Forwarded-Host: localhost:8111 X-Forwarded-For: ::1 X-Forwarded-Server: localhost Host: localhost:8080 The only thing that looks a bit dodgy is the X-Forwarded-For: header.... Looking into it... Dave On Fri, Sep 30, 2022 at 12:55 AM Alessandro Parma < alessandro.pa...@geosolutionsgroup.com> wrote: > Hi Dave, Jody, > > > I set -DGEOSERVER_CSRF_WHITELIST=gs-main.geosolutionsgroup.com > > Not sure where to configure the X-Forwarded-** headers. >> > > I am not as familiar with Apache HTTP but there's a chance the headers are > already there. Yes, you can enable headers logging directly in geoserver > > https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#enable-request-logging > > [image: image.png] > > [image: image.png] > > Alessandro > > On Fri, Sep 30, 2022 at 4:29 AM David Blasby <david.bla...@geocat.net> > wrote: > >> Hi, >> >> I setup apache (localhost:8111) with this; >> >> ProxyPass "/dave/" "http://localhost:8080/geoserver/"; >> ProxyPassReverse "/dave/" "http://localhost:8080/geoserver/"; >> >> This means that "localhost:8111/dave/web" takes me to the geoserver >> homepage (running on localhost:8080). >> >> Inside geoserver, I set the proxy base url to "http://localhost:8111/dave >> ". >> >> That's all the configuration I did - I'm not setting any "X-Forwarded-** >> headers" (unless apache does that automatically). >> >> I found - >> https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html >> >> I guess I have to set these somehow... >> >> Dave >> >> >> >> On Thu, Sep 29, 2022 at 11:41 AM Jody Garnett <jody.garn...@gmail.com> >> wrote: >> >>> Alessandro: >>> >>> David was testing with the Proxy Base URL setting correctly. >>> >>> I am also trying to set up a test environment with apache with mod_proxy >>> as per random blog post instructions ( >>> https://www.middlewareinventory.com/blog/docker-reverse-proxy-example/). >>> But I don't really know what I am doing so it is unlikely to match your >>> setup. >>> >>> Not sure where to configure the X-Forwarded-** headers. >>> >>> Did you need to configure >>> https://docs.geoserver.org/stable/en/user/security/webadmin/csrf.html >>> with GEOSERVER_CSRF_WHITELIST or GEOSERVER_CSRF_DISABLED? >>> -- >>> Jody Garnett >>> >>> >>> On Thu, 29 Sept 2022 at 07:01, Alessandro Parma < >>> alessandro.pa...@geosolutionsgroup.com> wrote: >>> >>>> Hi David, andrea >>>> >>>> b) When I proxied geoserver, I couldn't save most configuration options >>>>>> (i.e. change the logging profile) >>>>>> * it would give me a "Origin does not correspond to request" >>>>>> error >>>>>> * others recommended setting "-DGEOSERVER_CSRF_DISABLED=true" >>>>>> + this worked, but now if I change the logging profile it >>>>>> will log me out (but my changes were saved). >>>>>> Hum... not sure, I'll inquire with Alessandro on how the proxying is >>>>>> set up. >>>>> >>>>> >>>> I understand this is an unrelated problem with your local environment >>>> David. I suggest you check your PROXY_BASE_URL settings. >>>> >>>> In terms of proxy config there is nothing special honestly.. we're >>>> using Nginx with an explicitly set PROXY_BASE_URL: >>>> >>>> [image: image.png] >>>> >>>> And we are passing the X-Forwarded-** headers from Nginx to GeoServer. >>>> That info should be used by GeoServer to understand >>>> what protocols and host are used by the user to connect to it. >>>> >>>> We can have a closer look but before we do that are you sure you cannot >>>> reproduce it locally on an HTTPS setup? >>>> >>>> Thank you, >>>> Alessandro >>>> >>>> On Thu, Sep 29, 2022 at 9:46 AM Andrea Aime < >>>> andrea.a...@geosolutionsgroup.com> wrote: >>>> >>>>> On Thu, Sep 29, 2022 at 1:05 AM David Blasby <david.bla...@geocat.net> >>>>> wrote: >>>>> >>>>>> Andrea, >>>>>> >>>>>> I tried to reproduce this and found some more issues; >>>>>> >>>>>> a) I couldn't "cd web/app; mvn jetty:run" >>>>>> * I get a nullpointerexception - likely because there's no >>>>>> settings in global.xml >>>>>> * i used data/release and it worked fine >>>>>> >>>>> >>>>> Uh yeah, this is bad... GeoServer should be able to start off a >>>>> completely empty data directory (eventually >>>>> with some warning). I thought we had a test to that effect, but I >>>>> cannot find it... >>>>> >>>>> >>>>>> b) When I proxied geoserver, I couldn't save most configuration >>>>>> options (i.e. change the logging profile) >>>>>> * it would give me a "Origin does not correspond to request" >>>>>> error >>>>>> * others recommended setting "-DGEOSERVER_CSRF_DISABLED=true" >>>>>> + this worked, but now if I change the logging profile it >>>>>> will log me out (but my changes were saved). >>>>>> >>>>> >>>>> Hum... not sure, I'll inquire with Alessandro on how the proxying is >>>>> set up. >>>>> >>>>> Cheers >>>>> Andrea >>>>> >>>>> == >>>>> >>>>> GeoServer Professional Services from the experts! >>>>> >>>>> Visit http://bit.ly/gs-services-us for more information. >>>>> == >>>>> >>>>> Ing. Andrea Aime >>>>> @geowolf >>>>> Technical Lead >>>>> >>>>> GeoSolutions Group >>>>> phone: +39 0584 962313 >>>>> >>>>> fax: +39 0584 1660272 >>>>> >>>>> mob: +39 339 8844549 >>>>> >>>>> https://www.geosolutionsgroup.com/ >>>>> >>>>> http://twitter.com/geosolutions_it >>>>> >>>>> ------------------------------------------------------- >>>>> >>>>> Con riferimento alla normativa sul trattamento dei dati personali >>>>> (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati >>>>> “GDPR”), >>>>> si precisa che ogni circostanza inerente alla presente email (il suo >>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>>>> >>>>> This email is intended only for the person or entity to which it is >>>>> addressed and may contain information that is privileged, confidential or >>>>> otherwise protected from disclosure. We remind that - as provided by >>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>> this >>>>> e-mail or the information herein by anyone other than the intended >>>>> recipient is prohibited. If you have received this email by mistake, >>>>> please >>>>> notify us immediately by telephone or e-mail >>>>> _______________________________________________ >>>>> Geoserver-devel mailing list >>>>> Geoserver-devel@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>>>> >>>> >>>> >>>> -- >>>> >>>> Regards, Alessandro Parma == GeoServer Professional Services from the >>>> experts! Visit http://goo.gl/it488V for more information. == >>>> Alessandro Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A >>>> 55054 Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 >>>> https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it >>>> ------------------------------------------------------- Con riferimento >>>> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - >>>> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni >>>> circostanza inerente alla presente email (il suo contenuto, gli eventuali >>>> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i >>>> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per >>>> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le >>>> sarei comunque grato se potesse darmene notizia. This email is intended >>>> only for the person or entity to which it is addressed and may contain >>>> information that is privileged, confidential or otherwise protected from >>>> disclosure. We remind that - as provided by European Regulation 2016/679 >>>> “GDPR” - copying, dissemination or use of this e-mail or the information >>>> herein by anyone other than the intended recipient is prohibited. If you >>>> have received this email by mistake, please notify us immediately by >>>> telephone or e-mail. >>>> _______________________________________________ >>>> Geoserver-devel mailing list >>>> Geoserver-devel@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>>> >>> _______________________________________________ >>> Geoserver-devel mailing list >>> Geoserver-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>> >> > > -- > > Regards, Alessandro Parma == GeoServer Professional Services from the > experts! Visit http://goo.gl/it488V for more information. == Alessandro > Parma DevOps Engineer GeoSolutions S.A.S. Via di Montramito 3/A 55054 > Massarosa (LU) Italy phone: +39 340 4752467 fax: +39 0584 1660272 > https://www.geosolutionsgroup.com https://twitter.com/geosolutions_it > ------------------------------------------------------- Con riferimento > alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - > Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni > circostanza inerente alla presente email (il suo contenuto, gli eventuali > allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i > destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per > errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le > sarei comunque grato se potesse darmene notizia. This email is intended > only for the person or entity to which it is addressed and may contain > information that is privileged, confidential or otherwise protected from > disclosure. We remind that - as provided by European Regulation 2016/679 > “GDPR” - copying, dissemination or use of this e-mail or the information > herein by anyone other than the intended recipient is prohibited. If you > have received this email by mistake, please notify us immediately by > telephone or e-mail. >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
