"Valid CSRF Token Required" error with osTicket behind Apache http_proxy

[dawud]

Hi devs,

I'm facing a problem when trying to use 1.7.4 with the following settings:

• two machines, one frontend, one backend; both with RHEL6 supplied Apache (2.2.15)

• frontend machine's configuration is fairly simple:

  <VirtualHost 172.22.197.46:80>
  ServerName "osticket.domain.com"
  DocumentRoot "/srv/www/html/osticket.domain.com"
  ErrorLog "|/usr/sbin/rotatelogs -f /var/log/httpd/osticket/error.%Y%m%d.log 86400"
  CustomLog "|/usr/sbin/rotatelogs -f /var/log/httpd/osticket/access.%Y%m%d.log 86400" combined
  ProxyRequests Off
  ProxyPass / http://backend-osticket.domain.com/
  ProxyPassReverse / http://backend-osticket.domain.com/
  </VirtualHost>

• backend's config is as follows:

  <VirtualHost 172.22.197.65:80>
  ServerName "backend-osticket.company.com"
  DocumentRoot /srv/www/cgi-bin/osticket/upload
  ErrorLog "|/usr/sbin/rotatelogs -f /var/log/httpd/osticket/error.%Y%m%d.log 86400"
  CustomLog "|/usr/sbin/rotatelogs -f /var/log/httpd/osticket/access.%Y%m%d.log 86400" combined
  </VirtualHost>

Both server names (osticket.domain.com and backend-osticket.domain.com) are DNS resolvable. Backend's LogFormat has been configured to log the X-Forwarded-For IP.

Log entries in both servers:

172.26.130.101 - - [01/Oct/2013:10:57:50 +0200] "GET /scp/ HTTP/1.1" 200 1712 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
172.26.130.101 - - [01/Oct/2013:10:57:50 +0200] "GET /scp/images/grey_btn_bg.png?1312910883 HTTP/1.1" 304 - "http://osticket.company.com/scp/css/login.css" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
172.26.130.101 - - [01/Oct/2013:10:57:53 +0200] "POST /scp/login.php HTTP/1.1" 400 25 "http://osticket.company.com/scp/" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"

172.26.130.101 172.22.197.46 - - [01/Oct/2013:10:57:50 +0200] "GET /scp/ HTTP/1.1" 200 1712 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
172.26.130.101 172.22.197.46 - - [01/Oct/2013:10:57:50 +0200] "GET /scp/images/grey_btn_bg.png?1312910883 HTTP/1.1" 304 - "http://osticket.company.com/scp/css/login.css" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"
172.26.130.101 172.22.197.46 - - [01/Oct/2013:10:57:53 +0200] "POST /scp/login.php HTTP/1.1" 400 25 "http://osticket.company.com/scp/" "Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0"

I haven't been able to find any issues with the webservers configuration, as the backend recieves the X-Forwarded-For header correctly, and, as per this search and this other, it is already handled internally by osTicket.

However, I'm triggering the CSRF protection somehow, hence this Issue Report.

Thanks.

[greezybacon]

First off, thank you for the detail. We have a production environment in place utilizing HAProxy and Apache, which makes use of the X-Forwarded-For and X-Forwarded-Proto headers, so I'm pretty sure you have those things correct.

The main issue for CSRF is the OSTSESSID cookie being consistently sent through to the backend server and the PATH and the DOMAIN of the cookie being setup correctly.

Could you verify in your browser that the browser is consistently sending the OSTSESSID cookie and send and example Set-Cookie sent to you by this configuration?

[dawud]

Hello there,

This was indeed a misconfiguration on my side. All I needed was to set:

ProxyPreserveHost On

for the cookie to traverse the proxy correctly. Thanks for the feedback, it helped a lot debugging this problem. I'm closing this issue report as NOT A BUG.

Thanks!

[openaspace]

Hello, I use nginx directive with ispconfig to proxy a domain on external server on a specified port, but I can't add the ProxyPreserveHost On directive in ispconfig beacuse isn't accepted.

Anyone know how to solve this login problem using the nginx directives? http://wiki.nginx.org/HttpRewriteModule

Best regards.