Running jasperserver behind nginx: Potential CSRF

2019-04-20 22:43发布

问题:

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.

internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver

When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:

CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

After some debugging we found the cause for this:

In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN respectively).

Solution is to either:

  • nginx: allow underscores in headers

    server {
       ...
       underscores_in_headers on;
    
  • jasperserver: change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Also see here:

  • header variables go missing in production
  • http://wiki.nginx.org/HttpCoreModule#underscores_in_headers

回答1:

Answered it myself - hopefully this is of some use to others,too



回答2:

I had this issue with Jasperserver 5.5 AWS AMI

More specific:

/var/lib/tomcat7/webapps/jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Change:

org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKEN
org.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEY

To:

org.owasp.csrfguard.TokenName=JASPERCSRFTOKEN
org.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY


回答3:

My version of Jasperserver looked slightly different, the CSRFguard files are located in jasperserver/WEB-INF/csrf

I edited the jrs.csrfguard.properties file.