在Nginx后面运行jasperserver:潜在的CSRF攻击 [英] Running jasperserver behind nginx: Potential CSRF attack

问题描述

我们正在使用nginx进行https流量卸载，代理到运行在端口8080上的本地安装的jasperserver(5.2).

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.

internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver

直接在其端口上访问jasperserver时，一切都很好.通过nginx访问服务时，某些功能被破坏(例如，在jasperserver UI中编辑用户)，并且jasperserver日志中包含以下条目:

When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:

CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

经过一些调试后，我们找到了原因:

After some debugging we found the cause for this:

在其标准配置中，nginx不会转发名称中包含下划线的请求标头.但是，Jasperserver(和OWASP框架)默认使用下划线传输csrf令牌(分别为JASPER_CSRF_TOKEN和OWASP_CSRFTOKEN).

In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN respectively).

解决方案之一:

• nginx:在标头中使用下划线

• nginx: allow underscores in headers

server {
   ...
   underscores_in_headers on;

jasperserver:在jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

中更改令牌配置名称

jasperserver: change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

也请参见此处:

• 标题变量在生产中丢失
• http://wiki.nginx.org/HttpCoreModule#underscores_in_headers

• header variables go missing in production
• http://wiki.nginx.org/HttpCoreModule#underscores_in_headers

推荐答案

我自己回答了-希望这对其他人也有用

Answered it myself - hopefully this is of some use to others,too

这篇关于在Nginx后面运行jasperserver:潜在的CSRF攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！