We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.
internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver
When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:
CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)
After some debugging we found the cause for this:
In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN
and OWASP_CSRFTOKEN
respectively).
Solution is to either:
nginx: allow underscores in headers
server { ... underscores_in_headers on;
- jasperserver: change token configuration name in
jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties
Also see here:
- header variables go missing in production
- http://wiki.nginx.org/HttpCoreModule#underscores_in_headers