mysteryshack icon indicating copy to clipboard operation
mysteryshack copied to clipboard

Published 20 hours ago verified publisher icon untitaker

CSRF hits when using load balancer

Open kapolos opened this issue 8 years ago • 11 comments

I am trying to put a rancher load balancer in front of mysteryshack.

The load balancer does the SSL termination and reverse proxy to the mysteryshack container port (which is not exposed to the outside world). When I go to https://mysteryshackdomain/ I see the login page normally but after I enter my credentials, I get CSRF detected.. Any advice on resolving this? 📲

kapolos avatar Jan 13 '17 07:01 kapolos

Update: I've switched to caddy, enabled the proxy setting in the mysteryshack config file, set the proper headers in caddy, same result.

These docker logs appear immediately after mysteryshack starts running - before I make any request via the proxy.

1/14/2017 6:29:46 PMGenerating session keys...
1/14/2017 6:29:46 PMListening on: http://0.0.0.0:6767
1/14/2017 6:29:54 PMthread '<unnamed>' panicked at 'Missing header: "X-Forwarded-Host". Turn off use_proxy_headers or set proxy headers.', src/mysteryshack/web/utils.rs:39
1/14/2017 6:29:54 PMnote: Run with `RUST_BACKTRACE=1` for a backtrace.
1/14/2017 6:29:58 PMthread '<unnamed>' panicked at 'Missing header: "X-Forwarded-Host". Turn off use_proxy_headers or set proxy headers.', src/mysteryshack/web/utils.rs:39
1/14/2017 6:29:58 PMthread '<unnamed>' panicked at 'Missing header: "X-Forwarded-Host". Turn off use_proxy_headers or set proxy headers.', src/mysteryshack/web/utils.rs:39
1/14/2017 6:30:00 PMthread '<unnamed>' panicked at 'Missing header: "X-Forwarded-Host". Turn off use_proxy_headers or set proxy headers.', src/mysteryshack/web/utils.rs:39
1/14/2017 6:30:05 PMthread '<unnamed>' panicked at 'Missing header: "X-Forwarded-Host". Turn off use_proxy_headers or set proxy headers.', src/mysteryshack/web/utils.rs:39
1/14/2017 6:30:06 PMthread '<unnamed>' panicked at 'Missing header: "X-Forwarded-Host". Turn off use_proxy_headers or set proxy headers.', src/mysteryshack/web/utils.rs:39
1/14/2017 6:30:07 PMthread '<unnamed>' panicked at 'Missing header: "X-Forwarded-Host". Turn off use_proxy_headers or set proxy headers.', src/mysteryshack/web/utils.rs:39
1/14/2017 6:38:17 PMGenerating session keys...
1/14/2017 6:38:17 PMListening on: http://0.0.0.0:6767

Afterwards, when I load the site and try to log in, no further logs appear.

kapolos avatar Jan 14 '17 16:01 kapolos

As explained in the config file you need to set the appropriate headers or disable proxy support entirely (in that case you need to forward the original Host header)

untitaker avatar Jan 14 '17 20:01 untitaker

Well, that's the thing, the headers are set - this is the caddy config:

remotestorage.domain.com {
 
   proxy / mysteryshack.remotestorage:6767 {
     websocket
     transparent
     header_upstream X-Forwarded-Host {host}
     header_upstream X-Forwarded-Port {port}
   }
 
   gzip
 
   tls [email protected]
 }

As per the docs, transparent is a shorthand for:

header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}

Those, along with the added

     header_upstream X-Forwarded-Host {host}
     header_upstream X-Forwarded-Port {port}

should make the proxy support work, no? If so, I think it's a bug, rather than a config issue.

kapolos avatar Jan 15 '17 06:01 kapolos

In master I added extra code for better error messages, please check again. It might be that your host header is not in the expected format

On Sat, Jan 14, 2017 at 10:57:54PM -0800, John Kapolos wrote:

Well, that's the thing, the headers are set - this is the caddy config:

remotestorage.domain.com {
 
   proxy / mysteryshack.remotestorage:6767 {
     websocket
     transparent
     header_upstream X-Forwarded-Host {host}
     header_upstream X-Forwarded-Port {port}
   }
 
   gzip
 
   tls [email protected]
 }

As per the docs, transparent is a shorthand for:

header_upstream Host {host}
header_upstream X-Real-IP {remote}
header_upstream X-Forwarded-For {remote}
header_upstream X-Forwarded-Proto {scheme}

Those, along with the added

     header_upstream X-Forwarded-Host {host}
     header_upstream X-Forwarded-Port {port}

should make the proxy support work, no? If so, I think it's a bug, rather than a config issue.

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/untitaker/mysteryshack/issues/65#issuecomment-272677962

untitaker avatar Jan 15 '17 14:01 untitaker

@kapolos any update on this?

untitaker avatar Jan 22 '17 23:01 untitaker

@untitaker Hard week, hadn't had the chance yet, hopefully by late tomorrow.

kapolos avatar Jan 23 '17 16:01 kapolos

image

image

kapolos avatar Jan 30 '17 02:01 kapolos

That appears to be the wrong portion of the error log, since the CSRF error message doesn't return a 404 status code.

untitaker avatar Jan 30 '17 15:01 untitaker

That's all there was. I'll retry just in case though.

kapolos avatar Jan 30 '17 20:01 kapolos

Any progress with that issue? I have the same one (caddy reverse proxy, CSRF detected).

pwFoo avatar Mar 18 '18 14:03 pwFoo

I'm sorry, I don't maintain this anymore.

untitaker avatar Mar 18 '18 18:03 untitaker