We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.

internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver

When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:

CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

After some debugging we found the cause for this:

In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN respectively).

Solution is to either:

• nginx: allow underscores in headers

  server {
     ...
     underscores_in_headers on;
  

• jasperserver: change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Also see here:

• header variables go missing in production
• http://wiki.nginx.org/HttpCoreModule#underscores_in_headers