Hi Team,
Unable to login to Foreman GUI link after upgrading to 3.8.0 version.
Getting this error “CSRF protection token expired, please log in again” everytime when tried to login using smart proxy link.
In earlier versions , it was working fine. After recent upgrade to 3.8.0 , this issue popped up.
Login to GUI using Foreman Server link is working fine.
Can anyone help on this.
Regards,
Jeev
What do you mean by “smart proxy link”?
We have Centralised foreman server and associated smart proxy server in each site.
Foreman Dashboard can be accessed either via foreman server @ 443 port (https) or via smart proxy server @ 8443 port.
Now unable login to dashboard using smart proxy server link
evgeni
December 19, 2023, 12:09pm
4
ekohl
December 19, 2023, 12:21pm
5
If you use foreman-installer --foreman-proxy-content-reverse-proxy-backend-protocol https
on the smart proxy server, does it then work again?
evgeni
December 19, 2023, 12:52pm
6
Mh, it doesn’t on my test box, then maybe it’s something else.
Ah, when I dig production log, I see:
2023-12-19T12:50:37 [W|app|916bf600] HTTP Origin header (https://pipe-katello-proxy-nightly-centos8-stream.tanso.example.com:8443) didn't match request.base_url (https://pipe-katello-server-nightly-centos8-stream.tanso.example.com)
2023-12-19T12:50:37 [I|app|916bf600] Redirected to https://pipe-katello-server-nightly-centos8-stream.tanso.example.com/users/login
evgeni
December 19, 2023, 1:06pm
7
Okay, with backend protocoll set to https and Fixes #35432 - Use Rails 6.1 defaults · theforeman/foreman@f034a4f · GitHub reverted I can login via proxy:8443.
ekohl
December 19, 2023, 1:10pm
8
I suspect Rails 6.1 defaults enables the ActionDispatch::HostAuthorization
middleware by default. We have introduced it in the settings.yaml
here:
committed 11:21AM - 27 Oct 22 UTC
Co-authored-by: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
But the installer doesn’t expose it. AFAIK this configuration was done by default as part of some CVE fixes. Quoting the description:
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to
Can you guide me what settings needs to be updated as it is not clear from the link shared
evgeni
December 20, 2023, 8:26am
10
So what @ekohl meant is to edit /etc/foreman/settings.yaml
and add lines like:
:hosts:
- foreman.example.com
- proxy.example.com
However, this doesn’t help in my test setup and I still get
HTTP Origin header (https://pipe-katello-proxy-nightly-centos8-stream.tanso.example.com:8443) didn't match request.base_url (https://pipe-katello-server-nightly-centos8-stream.tanso.example.com)
in the logs.
This comes from here
# verify that JavaScript responses are for XHR requests, ensuring they
# follow the browser's same-origin policy.
def verify_authenticity_token # :doc:
mark_for_same_origin_verification!
if !verified_request?
if logger && log_warning_on_csrf_failure
if valid_request_origin?
logger.warn "Can't verify CSRF token authenticity."
else
logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
end
end
handle_unverified_request
end
end
def handle_unverified_request # :doc:
forgery_protection_strategy.new(self).handle_unverified_request
end
But I think the check failing is
And indeed, setting config.action_controller.forgery_protection_origin_check = false
in application.rb
makes the whole login flow work again, as long as I am using HTTPS , not HTTP/2 as the backend protocol between the proxy and the main Foreman instance.
However, I think in general the default makes sense and we should keep it.
Yes updating /etc/settings.yaml doesn’t help.
Still getting same error
ekohl
December 20, 2023, 2:03pm
12
Another thought: we have the trusted proxies setting. We document --foreman-trusted-proxies
in Installing a Smart Proxy Server 3.8 on CentOS/RHEL and that’s 100% needed for a reverse proxy setup (which you are running). Have you applied that?
Sorry was on Holiday.
updating trusted proxies option using foreman installer also didn’t work.
still getting same error.