trafficserver icon indicating copy to clipboard operation
trafficserver copied to clipboard
verified publisher icon apache

Upgrading issue in 9.2.X

Open abdulsalam3105 opened this issue 10 months ago • 9 comments

am upgrading from 8.1.11 to 9.2.8 and found that while accessing trafficserver url, it throws below one once it authenticate from auth server

error_code: _csrf_attack error_message: CRJSA0001E A potential cross-site request forgery (CSRF) attack was detected. error_message_explanation: Either a CSRF attack occurred or, in rare cases, a defect caused the system to falsely detect one. error_message_useraction: If an attack occurred, the system denied it and no further action is required.

my setup is trafficserver is placed in front of IBM httpd server and my application (origin) is placed behind httpd server.

my remap.config looks like below

map https://trafficserverurl.com https://ibmhttpd.com reverse_map https://ibmhttpd.com https://trafficserverurl.com

i have header_rewrite.config file cond %{SEND_REQUEST_HDR_HOOK} set-header Host "trafficserfqdn"

this works in 8.1.11 but not works in 9.2.8, can anyone help to figureout the issue.

abdulsalam3105 avatar Feb 20 '25 17:02 abdulsalam3105

@bryancall , Is below change cause isssue? Traffic Server v9.0.0 and beyond, URL rewrites specified in remap.config are now performed before any plugins are executed. This is a shift from previous behavior, where plugins could modify URLs and headers before the rewrite occurred. As a result, plugins that modify the cache key or rely on the original URL could behave differently.

i see my redirect-url in response is ihsurl but it should be trafficserverurl . Is there any possible to delay remap.config

abdulsalam3105 avatar Feb 21 '25 17:02 abdulsalam3105

@bryancall can you redirect me to any support forum if any,

abdulsalam3105 avatar Feb 24 '25 19:02 abdulsalam3105

@mlibbey i saw you have answered related question, could you please consider my query

abdulsalam3105 avatar Feb 26 '25 03:02 abdulsalam3105

I can't imagine that the version of ATS would matter here. The browser has security rules around Cross Site scripting attacks so you'd need to put CORS solutions in place: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS The header rewrite you show just sets the Host header for the request to the origin. The error message implies its from the client, and implies that it got (correct) content/that the origin request went ok.

mlibbey avatar Feb 26 '25 04:02 mlibbey

Thank you @mlibbey for the quick response, why am suspect ATS version, it works in 8.1.11 and it doesnt work in 9.2.8

Traffic Server v9.0.0 and beyond, URL rewrites specified in remap.config are now performed before any plugins are executed. This is a shift from previous behavior, where plugins could modify URLs and headers before the rewrite occurred. As a result, plugins that modify the cache key or rely on the original URL could behave differently.

am thinking above change affects my current setup that i have set host header in plugin . in my remap.config where actual origin is set like below

map https://trafficserverurl.com/ https://ibmhttpd.com/ reverse_map https://ibmhttpd.com/ https://trafficserverurl.com/

in my network console i see host as https://ibmhttpd.com/ but it should be trafficserverurl,

Any suggestion here?

abdulsalam3105 avatar Feb 26 '25 04:02 abdulsalam3105

also what i understand in the version, Since URL rewrites in remap.config now occur before plugins execute, any modifications of plugin makes (such as setting the Host header) happen after the URL has already been rewritten. This can cause unintended behavior, like the incorrect Host header being used.

can we set like this map https://trafficserverurl.com/ https://ibmhttpd.com/ @plugin=header_rewrite.so @pparam=host_rewrite.config reverse_map https://ibmhttpd.com/ https://trafficserverurl.com/

to pass the plugin in remap.config itself,

my setup is trafficserverurl sends request to application url via IHS url i.e https://ibmhttpd.com/ and it send the request to auth server and auth server send request to application url as redirect uri as trafficserver url, but in this version it is passed with IHS url.

abdulsalam3105 avatar Feb 26 '25 14:02 abdulsalam3105

In your header_rewrite, you use cond %{SEND_REQUEST_HDR_HOOK}. To act at the time of remap, you'd need to use REMAP_PSEUDO_HOOK https://docs.trafficserver.apache.org/en/latest/admin-guide/plugins/header_rewrite.en.html#hook-conditions The cachekey plugin definitely still works, and definitely happens before sending requests to the origin. Also, fwiw, the proxy.config.url_remap.pristine_host_hdr chooses the inbound vs "outbound" host: header to use when going to origin.

mlibbey avatar Feb 26 '25 16:02 mlibbey

so, i need to use header_rewrite.config as

cond %{REMAP_PSEUDO_HOOK} set-header Host "trafficserfqdn"

and set proxy.config.url_remap.pristine_host_hdr as 1 in records.config ?

abdulsalam3105 avatar Feb 26 '25 18:02 abdulsalam3105

I have set above mentioned one in my system, but still auth server pass redirect_uri as IHS url, not an trafficserver url.

abdulsalam3105 avatar Feb 26 '25 18:02 abdulsalam3105