Re: Wicket 8 CsrfPrevention issue

2018-12-23 Thread Shengche Hsiao
Thanks Papegaaji, let me try.

On Sun, Dec 23, 2018 at 8:32 PM Emond Papegaaij 
wrote:

> I checked the answers and comments on that post, and they are
> incorrect. When you
> place your application behind a reverse http proxy, you need to make sure
> the
> proxy passes the correct headers to your application and you application
> needs
> to use these headers.
>
> For WildFly, you need to add proxy-address-forwarding="true" to the http-
> listener. This will instruct Undertow to read the headers passed by the
> proxy.
>
> On your proxy you will want to set these headers (this is nginx config):
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
> proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
>
> Best regards,
> Emond Papegaaij
>
> On Sat, Dec 22, 2018 at 7:31 PM Chris Turchin  wrote:
> >
> > This might help:
> >
> https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket-csrfpreventionrequestcyclelistener
> >
> > On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao 
> wrote:
> > >
> > > Dear all
> > >
> > > I use apache httpd as wildlfy's backend proxy server to redirect http
> > > request to https request, when i add
> CsrfPreventionRequestCycleListener to
> > > my application , it showd error message:
> > >
> > > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener]
> > > (default task-48) Possible CSRF attack, request URL: http://
> > > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw,
> > > action: aborted with error 400 Origin does not correspond to request
> > >
> > > How can i conquer this?
> > > 
> > > --->
> > > To boldly go where no man has gone before.
> > > 
> > > --->
> > > We do this not because it is easy. We do this because it is hard.
> > > -
> > > -->
> > > If I have seen further it is by standing on the shoulders of giants.
> > > --
> > > ->
> > > front...@gmail.com
> > >
> ->
> >
> >
> >
> > --
> > Chris Turchin 
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->


Re: Wicket 8 CsrfPrevention issue

2018-12-23 Thread Emond Papegaaij
I checked the answers and comments on that post, and they are wrong. When you 
place your application behind a reverse http proxy, you need to make sure the 
proxy passes the correct headers to your application and you application needs 
to use these headers.

For WildFly, you need to add proxy-address-forwarding="true" to the http-
listener. This will instruct Undertow to read the headers passed by the proxy.

On your proxy you will want to set these headers (this is nginx config):
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;

Best regards,
Emond Papegaaij

On zaterdag 22 december 2018 12:46:11 CET Chris Turchin wrote:
> This might help:
> https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket
> -csrfpreventionrequestcyclelistener
> On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao  wrote:
> > Dear all
> > 
> > I use apache httpd as wildlfy's backend proxy server to redirect http
> > request to https request, when i add CsrfPreventionRequestCycleListener to
> > my application , it showd error message:
> > 
> > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener]
> > (default task-48) Possible CSRF attack, request URL: http://
> > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw,
> > action: aborted with error 400 Origin does not correspond to request
> > 
> > How can i conquer this?
> > 
> > --->
> > To boldly go where no man has gone before.
> > 
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > -
> > -->
> > If I have seen further it is by standing on the shoulders of giants.
> > --
> > ->
> > front...@gmail.com
> > --
> > --->





-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket 8 CsrfPrevention issue

2018-12-23 Thread Emond Papegaaij
I checked the answers and comments on that post, and they are
incorrect. When you
place your application behind a reverse http proxy, you need to make sure the
proxy passes the correct headers to your application and you application needs
to use these headers.

For WildFly, you need to add proxy-address-forwarding="true" to the http-
listener. This will instruct Undertow to read the headers passed by the proxy.

On your proxy you will want to set these headers (this is nginx config):
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;

Best regards,
Emond Papegaaij

On Sat, Dec 22, 2018 at 7:31 PM Chris Turchin  wrote:
>
> This might help:
> https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket-csrfpreventionrequestcyclelistener
>
> On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao  wrote:
> >
> > Dear all
> >
> > I use apache httpd as wildlfy's backend proxy server to redirect http
> > request to https request, when i add CsrfPreventionRequestCycleListener to
> > my application , it showd error message:
> >
> > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener]
> > (default task-48) Possible CSRF attack, request URL: http://
> > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw,
> > action: aborted with error 400 Origin does not correspond to request
> >
> > How can i conquer this?
> > 
> > --->
> > To boldly go where no man has gone before.
> > 
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > -
> > -->
> > If I have seen further it is by standing on the shoulders of giants.
> > --
> > ->
> > front...@gmail.com
> > ->
>
>
>
> --
> Chris Turchin 
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Wicket 8 CsrfPrevention issue

2018-12-23 Thread Shengche Hsiao
Thanks, I'll check it out.

On Sun, Dec 23, 2018 at 2:31 AM Chris Turchin  wrote:

> This might help:
>
> https://stackoverflow.com/questions/46337253/apache-reverse-proxy-and-wicket-csrfpreventionrequestcyclelistener
>
> On Sat, Dec 22, 2018 at 3:28 AM ShengChe Hsiao  wrote:
> >
> > Dear all
> >
> > I use apache httpd as wildlfy's backend proxy server to redirect http
> > request to https request, when i add CsrfPreventionRequestCycleListener
> to
> > my application , it showd error message:
> >
> > [org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener]
> > (default task-48) Possible CSRF attack, request URL: http://
> > etalking.chc.edu.tw/agency/index, Origin: https://etalking.chc.edu.tw,
> > action: aborted with error 400 Origin does not correspond to request
> >
> > How can i conquer this?
> > 
> > --->
> > To boldly go where no man has gone before.
> > 
> > --->
> > We do this not because it is easy. We do this because it is hard.
> > -
> > -->
> > If I have seen further it is by standing on the shoulders of giants.
> > --
> > ->
> > front...@gmail.com
> >
> ->
>
>
>
> --
> Chris Turchin 
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>

-- 

--->
We do this not because it is easy. We do this because it is hard.
--->
ShengChe Hsiao
--->
front...@gmail.com
front...@tc.edu.tw
--->
VoIP : 070-910-2450
--->