[ https://issues.apache.org/jira/browse/WICKET-6466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darshit Patoliya updated WICKET-6466: ------------------------------------- Description: Hi, I have used openmeeting in my application and running it on http protocol behind nginx proxy, while my application is running on https protocol. When I am trying to open openmetting login page it will raise 400 error for following requests. {panel:title=Browser Network Tab} https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218& {panel} Following error logged in red5.log {panel:title=red5.log} 2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://xxx.com, action: aborted with error 400 Origin does not correspond to request {panel} As per my limited knowledge and checking in to the code of wicket, I think it is raising because of protocol mismatch between origin and request. Is there any configurations available in wicket to handle this scenario? FYI : This is my nginx settings for openmeeting, if I have miss something. {code:java} location /om/ { proxy_set_header X-Forwarded-Host $host; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header X-CSRFToken; proxy_pass http://127.0.0.1:5080/om/; proxy_redirect default; } location /om/public/ { alias /opt/om330/webapps/om/public/; } location /om/css/ { alias /opt/om330/webapps/om/css/; } location /om/images/ { alias /opt/om330/webapps/om/images/; } location /om/js/ { alias /opt/om330/webapps/om/js/; } {code} was: Hi, I have used openmeeting in my application and running it on http protocol behind nginx proxy, while my application is running on https protocol. When I am trying to open openmetting login page it will raise 400 error for following requests. {panel:title=Browser Network Tab} https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218& {panel} Following error logged in red5.log {panel:title=red5.log} 2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://xxx.com, action: aborted with error 400 Origin does not correspond to request {panel} As per my limited knowledge and checking in to the code of wicket, I think it is raising because of protocol mismatch between origin and request. Is there any configurations available in code of wicket to handle this scenario? FYI : This is my nginx settings for openmeeting, if I have miss something. {code:java} location /om/ { proxy_set_header X-Forwarded-Host $host; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_pass_header X-CSRFToken; proxy_pass http://127.0.0.1:5080/om/; proxy_redirect default; } location /om/public/ { alias /opt/om330/webapps/om/public/; } location /om/css/ { alias /opt/om330/webapps/om/css/; } location /om/images/ { alias /opt/om330/webapps/om/images/; } location /om/js/ { alias /opt/om330/webapps/om/js/; } {code} > CSRF Prevention Configurations > ------------------------------ > > Key: WICKET-6466 > URL: https://issues.apache.org/jira/browse/WICKET-6466 > Project: Wicket > Issue Type: Improvement > Reporter: Darshit Patoliya > > Hi, > I have used openmeeting in my application and running it on http protocol > behind nginx proxy, while my application is running on https protocol. > When I am trying to open openmetting login page it will raise 400 error for > following requests. > {panel:title=Browser Network Tab} > https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha > https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?0--forget-form-captcha-captcha > https://<xxx.xxx.com>/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?1-1.0-&_=1504614984218& > {panel} > Following error logged in red5.log > {panel:title=red5.log} > 2017-09-11 18:10:47,820 [http-nio-0.0.0.0-5080-exec-2] INFO > o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request > URL: > http://xxx.com/om/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, > Origin: https://xxx.com, action: aborted with error 400 Origin does not > correspond to request > {panel} > As per my limited knowledge and checking in to the code of wicket, I think it > is raising because of protocol mismatch between origin and request. > Is there any configurations available in wicket to handle this scenario? > FYI : This is my nginx settings for openmeeting, if I have miss something. > {code:java} > location /om/ { > proxy_set_header X-Forwarded-Host $host; > proxy_set_header Host $host; > proxy_set_header Upgrade $http_upgrade; > proxy_pass_header X-CSRFToken; > proxy_pass http://127.0.0.1:5080/om/; > proxy_redirect default; > } > location /om/public/ { > alias /opt/om330/webapps/om/public/; > } > location /om/css/ { > alias /opt/om330/webapps/om/css/; > } > location /om/images/ { > alias /opt/om330/webapps/om/images/; > } > location /om/js/ { > alias /opt/om330/webapps/om/js/; > } > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)