search

parkpow / deep-license-plate-recognition

Automatic License Plate Recognition (ALPR) or Automatic Number Plate Recognition (ANPR) software that works with any camera.
https://platerecognizer.com/
MIT License
515 stars 122 forks source link

Django CSFR Error #124

Closed MrCybertux closed 1 year ago

MrCybertux commented 1 year ago

Describe the bug After setting up ParkPow behind a reverse Proxy all request going through the Proxy are getting a CSFR error

To Reproduce Steps to reproduce the behavior:

  1. Setup ParkPow with the Provided Docker file behind a Nignx Reverse Proxy for TLS
  2. Connect via Revers proxy and try to login
  3. See error Page with the Error 403 Forbidden (Origin checking failed - null does not match any trusted origins.)

Expected behavior Have ParkPow available over TLS

Desktop (please complete the following information):

Additional context Log entries

2023-05-23 13:39:55 [WARNING] [/opt/pysetup/.venv/lib/python3.11/site-packages/django/utils/log.py:241]: Forbidden (Origin checking failed - null does not match any trusted origins.): /accounts/login/

() {72 vars in 1485 bytes} [Tue May 23 13:39:55 2023] POST /accounts/login/ => generated 1019 bytes in 3 msecs (HTTP/1.1 403) 7 headers in 229 bytes (1 switches on core 2)

ttayson commented 1 year ago

@MrCybertux is this a new installation? or did you already use it normally?

we are checking the situation to simulate the problem based on your information

MrCybertux commented 1 year ago

@MrCybertux is this a new installation? or did you already use it normally?

we are checking the situation to simulate the problem based on your information

It is new we finalized the setup today

koteakh1 commented 1 year ago

To debug this further, try setting the following in your nginx config: proxy_set_header Origin "";

koteakh1 commented 1 year ago

A few questions:

  1. Which browser are you using?
  2. You are running into this issue when trying to log in (making a POST request). What happens when you simply load the login page? Does the page load over HTTP or HTTPS?
  3. Are you changing origin and referrer headers via nginx?
MrCybertux commented 1 year ago

A few questions:

  1. Which browser are you using?
  2. You are running into this issue when trying to log in (making a POST request). What happens when you simply load the login page? Does the page load over HTTP or HTTPS?
  3. Are you changing origin and referrer headers via nginx?
  1. The tests were made with Brave and Firefox on Linux and Chrome and Firefox on Windows.
  2. Yes it only happens on Login before that the Page Loads normally
  3. We are Using the Bunkerized Nginx Project it removes headers when sending responses to clients:
    Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version

The REFERRER_POLICY was set to no-referrer I will try same-origin and report back the result

Do X-Content-Type-Options matter?

koteakh1 commented 1 year ago

no-referrer will definitely cause this issue. There could be other reasons too but let's start by replacing no-referrer. X-Content-Type-Options does not matter.

ttayson commented 1 year ago

@MrCybertux I was able to reproduce your problem and configure it to work properly, you need to add the X-Forwarded-Proto header to the configuration file in Nginx.

I am trying with pure Nginx, in my case it was only necessary to add the proxy_set_header X-Forwarded-Proto $scheme to the configuration file.

Please test and tell us if it worked correctly

image

MrCybertux commented 1 year ago

Setting same-origin in bunkerized nginx via the environment variable REFERRER_POLICY worked

Doc: https://bunkerized-nginx.readthedocs.io/en/v1.3.2/environment_variables.html#security-headers

Thanks for your help and fast responses. 👍🏻