Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Made the exact circumstances in which the problem occurs and their solution more clear.

Symptom

When the user tries to perform a verification on the Cryptshare user interface, the "Next" button does not respond (but the unresponsiveness can also occur at other places). Additionally, the browser console logs lots of errors with the message "Origin does not correspond to request".

Applies to

  • Cryptshare Version 4 and above, although the specific behaviour may differ between 4.0/4.1 and later versions.

Cause

This issue is most likely caused by a misconfigured reverse proxy.

Beginning with Cryptshare Version 4, requests to the server are checked for the '"Origin' " header, to prevent CSRF attacks. If the '"Origin' " header is missing, or it differs from the protocol, host (and port, if supplied) of the request "Host" header and/or the requested URL, the server responds with Status Code status code 400 (Bad Requestbad request). These headers are set by the browser and sent to the Cryptshare Server.

If the a reverse proxy performs an SSL termination and the request URL arrives on the Cryptshare server as "HTTP" instead of "HTTPS" as originally intended, the request URL and 'Origin' header do not match.

Resolution

There are two different approaches to mitigate the issue:

  • You reconfigure the reverse proxy to remove the 'Origin' header, in which case Cryptshare does not perform a CSRF check.
  • You reconfigure the reverse proxy to modify the 'Origin' header to match the internal URL (scheme, hostname, port), in which case the Cryptshare CSRF check succeeds.

    is used, both "Host" and "Origin" headers will most likely contain the hostname, port (if any) and scheme of the reverse proxy. If these headers are not adapted accordingly, the Cryptshare Server will detect a mismatch with the requested URL as described above, because the URL targets the Cryptshare Server, not the reverse proxy.

    Resolution

    To make sure that the Cryptshare Server recieves requests with matching URL, "Host" and "Origin" header, both headers need to be adapted/set by the reverse proxy. Depending on the product, this may happen for the "Host" header automatically.

    Let's say the hostname of the Cryptshare Server would be "cryptshare-internal", the headers would need to be set as follows:

    Host: cryptshare-internal
    Origin: http://cryptshare-internal

    If the port number of the Cryptshare Server differs from the default, it also has to be specified in both servers. For example:

    Host: cryptshare-internal:8888
    Origin: http://cryptshare-internal:8888

    Related articles

    Content by Label
    showLabelsfalse
    max5
    spacesCKB
    showSpacefalse
    sortmodified
    reversetrue
    typepage
    cqllabel in ("verification","ajax","reverse","proxy","header") and type = "page" and space = "CKB"
    labelsupgrade update opensuse leap os low disk space betriebssystem distribution

    Page properties
    hiddentrue


    Related issues




    Include Page
    ATT:Footer
    ATT:Footer