search

openwisp / ansible-openwisp2

Ansible role that installs and upgrades OpenWISP.
https://openwisp.io/docs/dev/ansible/
BSD 3-Clause "New" or "Revised" License
474 stars 136 forks source link

CSRF issues #443

Closed stefangweichinger closed 1 year ago

stefangweichinger commented 1 year ago

I re-enabled an older VM with openwisp2 today and upgraded the setup using this role and newest ansible.

My playbook currently:

~/openwisp2-ansible-playbook/playbook.yml 
- hosts: openwisp2
  roles:
    - openwisp.openwisp2
  vars:
    openwisp2_default_from_email: "ow2@myother.tld"
    openwisp2_http_allowed_ip: "192.168.97.0/24"
    openwisp2_time_zone: "Europe/Berlin"
    openwisp2_django_cors:
      enabled: true
      allowed_origins_list: ["https://openwisp2.my.tld"]

This setup is proxied by HAproxy on a pfsense appliance, its IP 192.168.97.1 is in "openwisp2_http_allowed_ip", all this worked 2 years ago when I started this project.

The URL is "https://openwisp2.my.tld" and I have this in "allowed_origins_list"

Now I constantly get CSRF issues.

Tried "openwisp2_django_cors: enabled: false"

and various other things, I always get:

Forbidden (403)
CSRF verification failed. Request aborted.

Help
Reason given for failure:

    Origin checking failed - https://openwisp2.my.tld does not match any trusted origins.

Same with another browser (Chrome and Firefox).

How to avoid that? Do I have to remove some parts of the old installation maybe and let the ansible role deploy it from scratch?

Thanks for any pointers!

EDIT:

additional info: I get the login mask, enter credentials, then the CSRF error is returned

nemesifier commented 1 year ago

CORS and CSFR are 2 different things. CORS is for async HTTP requests sent via the browser. CSFR is cookie based. I have no idea why this is going on in your installation. I recommend looking into the CSFR documentation of Django, the framework OpenWISP is based on. I am closing this issue because it's not a bug report. If you think this is a bug, please submit a procedure to replicate this issue consistently on a new installation. For further support requests you can continue replying to this issue or use use other support channels like mailing list or chat.

stefangweichinger commented 1 year ago

@nemesifier Thanks for the pointer. I never said its a bug, I just asked how to properly configure this CSFR-feature, or maybe turn it off. Trying that by editing settings.py etc. but I am far from being a Django coder to get that right in a few steps so far.

Maybe it plays a role that our openwisp VM runs behind a HAproxy reverse proxy. Maybe I have to configure this proxy as trusted somehow. I will try my best to find that out.

EDIT: solved by:

# settings.py
CSRF_TRUSTED_ORIGINS = ['https://openwisp2.my.tld']
nemesifier commented 1 year ago

Thanks for following up @stefangweichinger :+1:

cbeaujoin-stellar commented 3 months ago

With latest versions of Django I made that changes in settings.py of ansible-openwisp2: CSRF_TRUSTED_ORIGINS = {{ openwisp2_django_cors.get('allowed_origins_list', []) }} Instead of:

MIDDLEWARE.insert(MIDDLEWARE.index('django.middleware.csrf.CsrfViewMiddleware') + 1, 'corsheaders.middleware.CorsPostCsrfMiddleware')
CORS_REPLACE_HTTPS_REFERER = {{ openwisp2_django_cors.get('replace_https_referer', False) }}

and rename CORS_ALLOWED_ORIGINS toCORS_ALLOW_ALL_ORIGINS

All of this according to Django-headers documentation.