nginx + csrf token issues with reverse proxy

[Dark-Sider]

Hi,

I have a web-application that up until now used a NAT port-forward. However I need URL-based filtering. As the application is "closed", my solution of choice was to setup a nginx reverse proxy in opnsense and add some ACL-based filtering. It all works great, except on small but important detail:

The web-app displays a logon-page. If I enter the correct username / password (while using nginx as reverse proxy) it displays an login error page. The web-app's log shows:

Code: [Select]

[ERROR] 2022-02-24 13:14:01,144 [qtp142733894-87857] Unauthorized access detected
com.appName.AuthenticationException: Invalid CSRF token

If I then press "reload" on the browser, I'm magically logged in and everything works. Since the web-app is also accessed by external users, I would like to get it 100% working though

The reverse proxy configuration is very basic at this stage:
Upstream, and Upstream server are configured with correct ssl certs.
I tried the Upstream configuration with Proxy Protocol enabled and disabled (no difference)

Location configuration is as basic as it can get (just enforce HTTPS) I also tried to enable and disable the response/request buffering (no idea what this actually does though)

The HTTP-Server configuration is also very basic. It just listens on a specific virtual IP on specific ports. Location is set and SSL-Cert is set.
I also tried enabling proxy protocol within the HTTP-Server options, and setting the real ip source to all options. Nothing worked (I restarted nginx after each configuration change)

I have not defined any security headers.

Any ideas what my configuration is missing?

regards
Dark-Sider

[Dark-Sider]

Hi again,

I meanwhile solved the problem with the help of mitmproxy to inspect the headers.

As it turns out nginx rewirtes several headers to lower-case. In my case the header field X-XSRF-TOKEN was changed to x-xsrf-token which caused the problem within the webapp.

I hot-fixed the problem by including

Code: [Select]

proxy_set_header X-XSRF-TOKEN $http_x_xsrf_token;
in the /usr/local/opnsense/service/templates/OPNsense/Nginx/location.conf template.

Is saw that the generated nginx.conf contains includes for each location in the form of:

Code: [Select]

include <guid>_post/*.conf;

Would you suggest to create that directory and put an include config there myself? Do you know of any other ways to have nginx not change the case of header-fields?

Edit: it appears that client <-> nginx is using http2 and nginx <-> webapp is using http 1.1. As http2 requires headers in lowercase format chrome actually sends them in lower case.... aye.

thx
Dark-Sider

[fabian]

AFAIK the http standard also says that case does not matter in headers.