登录到jaspersoft时重定向循环

时间:2019-04-26 13:42:40

标签: tomcat jasperserver nginx-reverse-proxy redirect-loop

我已经在Windows的tomcat 8上安装了jasperserver。我想让用户通过NGinx作为反向代理来访问它。我已经安装了nginx并为jaspersoft创建了一个服务器文件。当我访问jaspersoft的URL时,一切看起来都很好。但是,一旦登录,我就会从“ https://$URL/flow.html?_flowId = searchFlow”重定向到“ https:// $ URL”。请参阅下面的配置和访问日志。

我已经在互联网上搜索了相关问题,但是找不到解决方案。

这是我的nginx配置:

listen 80;
server_name jaspersoft-*.org;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl http2;
server_name jaspersoft-*.org;
ssl on;
server_tokens off;
more_clear_headers Server;

ssl_certificate         /etc/nginx/ssl/*.crt;
ssl_certificate_key     /etc/nginx/ssl/*.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer";
add_header Feature-Policy "vibrate 'self'; usermedia *;";

location / {
proxy_pass https://*:9443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Ssl on;
proxy_hide_header X-AspNet-Version;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
proxy_read_timeout 600s;
}
}

1 个答案:

答案 0 :(得分:1)

在Jaspersoft社区论坛中查看此帖子: https://community.jaspersoft.com/questions/1022641/apache-proxy-tomcat

通常可以通过tomcat日志中的消息来诊断问题:

2020-02-08T13:39:28,211 ERROR CsrfGuard,http-nio-8080-exec-8:45 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, method:POST, uri:/jasperserver/flow.html, error:required token is missing from the request)

原因是Jasper Server使用的OWASP CSRFGuard库。它找不到包含必需的CSRF保护令牌的请求标头,从而导致重定向回登录页面,但是您已经登录,因此它重定向回到flow.html等。

显然,在Jaspersoft Server的默认配置中,CSRFGuard令牌包含一个下划线,在最新版本的Apache和nginx代理中,该下划线被认为是无效的,并且已从HTTP标头中静默删除。在nginx中,underscores_in_headers中有一个有用的选项,但是我找不到适用于Apache的类似选项。

解决方案是编辑名为/WEB-INF/csrf/jrs.csrfguard.properties的文件,并查找属性“ org.owasp.csrfguard.TokenName”。我的默认值为“ OWASP_CSRFTOKEN”。我将其更改为“ OWASPCSRFTOKEN”(没有下划线),它为我解决了问题:

org.owasp.csrfguard.TokenName=OWASPCSRFTOKEN

别忘了之后重启Jaspersoft Server。

相关问题
最新问题