Project

General

Profile

Forums » User »

[Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy

Added by Christophe D. over 2 years ago

Hello,

First of all, let me share a few information regarding the context:
  • The OS:
    # hostnamectl | grep -i system
  Operating System: CentOS Linux 7 (Core)
  • Prewikka was installed with the package manager (yum):
    # rpm -qa | grep -i prewik
prewikka-5.2.0-4.el7.x86_64
python2-prewikka-5.2.0-4.el7.x86_64
  • How Prewikka is started using the systemd service script:
    # grep -i execstart /usr/lib/systemd/system/prewikka.service
ExecStart=/usr/sbin/prewikka-httpd -a 127.0.0.1
  • Apache version:
    # httpd -v | grep -i version
Server version: Apache/2.4.6 (CentOS)
  • Apache configuration file for Prewikka:
    # cat /etc/httpd/conf.d/prewikka.conf 
<VirtualHost *:80>
    ServerName xxxxxxxxxxxxx
    DocumentRoot/var/www/html/
    RewriteEngineOn
    RewriteCond%{HTTPS} !=on
    RewriteRule^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName xxxxxxxxxxxxx
    DocumentRoot /var/www/html
    Header always edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" 
    Header onsuccess edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" 
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
    ProxyPreserveHost Off
    ProxyRequests Off
    ProxyTimeout 600
    RequestHeader set Origin "127.0.0.1:8000" 
    RequestHeader set Host "127.0.0.1:8000" 
    RequestHeader set X-Forwarded-Proto "https" 
    RequestHeader set Referer "" 
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/certs/apache-selfsigned.key
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20
    -POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLCompression Off
    SSLEngine On
    SSLHonorCipherOrder On
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    Timeout 360
    UseCanonicalName on
</VirtualHost>

Now, when I access Prewikka using https://xxxxxxxxxxxxx, using the TLS termination reverse proxy installed and configured locally (ie. on the same machine as Prewikka), I get the below error message for some actions:

Error: Origin check failed
Details:
except Exception as err: raise autherr or err if view_object.view_require_session and autherr:
/usr/lib/python2.7/site-packages/prewikka/main.py, line 285:
raise autherr or err
/usr/lib/python2.7/site-packages/prewikka/main.py, line 301:
response = self._process_static(webreq) or self._process_dynamic(webreq)

The actions are, for instance:
  • Update the password of an existing user
  • Create a new user
  • Change the period of the alerts I would like to display

I tried with Apache configured without TLS and I did not get this error. Any idea?

Thank you in advance for your help.

Regards,


Replies (5)

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Francois POIROTTE over 2 years ago

Hello,

Prewikka uses cookies bound to the application's host/path to prevent Cross-Site Request Forgery (CSRF) attacks.
Apache does not rewrite the cookies in HTTP requests/responses by default, hence the error.
See the ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath options inside Apache's documentation for more information on how to rewrite the cookies' host & path.

In addition, you should not set headers manually as it may interfere with functionalities of the HTTP protocol or your Internet browser (e.g. CORS).

Best regards,
François

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. over 2 years ago

Thank you François. I will try that and keep you posted.

Regards,

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. over 2 years ago

Hello,

Tested (ie. ProxyPassReverseCookieDomain & ProxyPassReverseCookiePath) but unsuccessful. As stated in my previous message, I do not get this error when I use the same setup but without the TLS configured on the Apache reverse proxy.

Any idea is welcome.

Regards,

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Francois POIROTTE over 2 years ago

Hello,

I finally had time to test a similar setup (with nginx).
From my investigation, when prewikka-httpd is used to run Prewikka, the application only sees the request made to prewikka-httpd and uses that to check the requests' origin. That is to say, it is not meant to be run through a reverse proxy.

I see two possible solutions:
  1. Do not run prewikka-httpd behind a reverse proxy.
    • You could either expose prewikka-httpd directly (it supports TLS certificates through the --key and --cert option), though I would recommend against it for performance reasons.
    • Instead, you could also run Prewikka through mod_wsgi. This is usually the recommended approach. See this page for more information.
  2. If you really want to use prewikka-httpd with a reverse proxy, you will need to rewrite the original Origin and Referer HTTP headers to match the origin expected by Prewikka, but only when the original value matches the expected value/prefix (this is necessary to prevent potential security issues). For nginx, this can be done with a configuration similar to the following inside a location block: 
                    set $new_origin $http_origin;
                if ($http_origin = "https://prelude.example.com") {
                        set $new_origin "http://127.0.0.1:8000";
                }
                proxy_set_header        Origin          $new_origin;

                set $new_referer $http_referer;
                if ($http_referer ~ "^https://prelude\.example\.com(.*)$") {
                        set $new_referer "http://127.0.0.1:8000$1";
                }
                proxy_set_header        Referer         $new_referer;
    In this example, nginx is listening for HTTPS requests on the vhost prelude.example.com, while prewikka-httpd is listening for HTTP requests on 127.0.0.1:8000. I think a similar configuration can be defined for Apache: 
    # This requires mod_headers
RequestHeader edit* Origin "^https://prelude\.example\.com" "http://127.0.0.1:8000" 
RequestHeader edit* Referer "^https://prelude\.example\.com" "http://127.0.0.1:8000"

Best regards,
François

RE: [Prewikka] Error "Origin check failed" when using a TLS termination reverse proxy - Added by Christophe D. over 2 years ago

Hello and thank you François. I will keep you posted.

Regards,

    (1-5/5)