Closed dawud closed 10 years ago
First off, thank you for the detail. We have a production environment in place utilizing HAProxy and Apache, which makes use of the X-Forwarded-For and X-Forwarded-Proto headers, so I'm pretty sure you have those things correct.
The main issue for CSRF is the OSTSESSID cookie being consistently sent through to the backend server and the PATH and the DOMAIN of the cookie being setup correctly.
Could you verify in your browser that the browser is consistently sending the OSTSESSID cookie and send and example Set-Cookie sent to you by this configuration?
Hello there,
This was indeed a misconfiguration on my side. All I needed was to set:
ProxyPreserveHost On
for the cookie to traverse the proxy correctly. Thanks for the feedback, it helped a lot debugging this problem. I'm closing this issue report as NOT A BUG.
Thanks!
Hello, I use nginx directive with ispconfig to proxy a domain on external server on a specified port, but I can't add the ProxyPreserveHost On directive in ispconfig beacuse isn't accepted.
Anyone know how to solve this login problem using the nginx directives? http://wiki.nginx.org/HttpRewriteModule
Best regards.
Hi devs,
I'm facing a problem when trying to use 1.7.4 with the following settings:
frontend machine's configuration is fairly simple:
backend's config is as follows:
Both server names (osticket.domain.com and backend-osticket.domain.com) are DNS resolvable. Backend's LogFormat has been configured to log the X-Forwarded-For IP.
Log entries in both servers:
I haven't been able to find any issues with the webservers configuration, as the backend recieves the X-Forwarded-For header correctly, and, as per this search and this other, it is already handled internally by osTicket.
However, I'm triggering the CSRF protection somehow, hence this Issue Report.
Thanks.