Welcome! Log In Create A New Profile

Advanced

CSRF token verification failed. Request aborted

Posted by kush05 
Forum List Message List New Topic
kush05
CSRF token verification failed. Request aborted
October 11, 2018 08:19AM
Hi All,

I am using nginx 1.15.3 in our application as a proxy server. It has a server config block which works as a HTTP as well as HTTPS server.(mentioned below).

x.y.z.f indicates IP of the HTTPS web server.

What is the use case ?
This is a case of redirection from HTTP to HTTPS server.
When the user opens up http://somedomain.com/users/ on the browser, he gets redirect to https://x.y.z.f/ as per the location config below. Also, "/users" in the location below is a just a placeholder to redirect to https://x.y.z.f and does not represent an actual api on https://x.y.z.f server.

Problem statement:
The location config works fine and i land on on login page of https://x.y.z.f, but i get a 403 Forbidden "CSRF verification failed. Request aborted." on login.

Please suggest.

server {
listen 80 default_server;
listen [::]:8080 default_server ipv6only=on;
client_max_body_size 30000m;

listen 443 ssl default_server;
listen [::]:443 ssl;
ssl_certificate abc.cert;
ssl_certificate_key abc.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


location ~* ^/users/(.*)$ {
proxy_pass https://x.y.z.f;
rewrite ^/users/(.*)$ / break;
proxy_set_header X-Real_IP $remote_addr;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Accept';
add_header 'Access-Control-Allow-Methods' 'POST';
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_pass_header X-CSRFToken;

}

location ~* ^/static/(.*)$ {
proxy_pass https://x.y.z.f;
rewrite ^/users/(.*)$ / break;
proxy_set_header X-Real_IP $remote_addr;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Accept';
add_header 'Access-Control-Allow-Methods' 'POST';
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header Accept-Encoding "";
proxy_pass_header X-CSRFToken;

}
}
Reply Quote
Newer Topic Older Topic
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 114
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready