Running jasperserver behind nginx: Potential CSRF attack

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080.

internet ---(https/443)---> nginx ---(http/8080)---> tomcat/jasperserver

When accessing the jasperserver directly on its port everything is fine. When accessing the service through nginx some functionalities are broken (e.g. editing a user in the jasperserver UI) and the jasperserver log has entries like this:

CSRFGuard: potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)

After some debugging we found the cause for this:

In its standard configuration nginx is not forwarding request headers that contain underscores in their name. Jasperserver (and the OWASP framework) however default to using underscores for transmitting the csrf token (JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN respectively).

Solution is to either:

  • nginx: allow underscores in headers

    server {
       ...
       underscores_in_headers on;
    
  • jasperserver: change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Also see here:

Answered it myself - hopefully this is of some use to others,too

Running jasperserver behind nginx: Potential CSRF attack, We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080. internet ---(https/443)---> nginx  Stack Exchange network consists of 175 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

I had this issue with Jasperserver 5.5 AWS AMI

More specific:

/var/lib/tomcat7/webapps/jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Change:

org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKEN
org.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEY

To:

org.owasp.csrfguard.TokenName=JASPERCSRFTOKEN
org.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY

Jasperserver 5.5 CSRF Error when installed behind Apache , After installing Apache Reverse Proxy in front of the Jasper Server, the Jasper application works except potential cross-site request forgery (CSRF) attack thwarted .com/questions/17920949/running-jasperserver-behind-. It's great for single page PDF pages such as letters & invoices to multi-page reports. However it's not very .NET friendly, and getting C#/Mono to play nice with JasperServer has not been fruitful. Has anyone got any code samples of how to run a report on JasperServer from C#, and attach an XML dataset with the SOAP request?

My version of Jasperserver looked slightly different, the CSRFguard files are located in jasperserver/WEB-INF/csrf

I edited the jrs.csrfguard.properties file.

nginx - JasperServer proxy CSRF error -, this same older question: running jasperserver behind nginx: potential csrf attack. i've tried both mitigations suggested, , it's still not working. I'm using znc 1.6.0 on Debian Jessie, together with nginx 1.6.2 as a reverse proxy. It works fine, as long as I don't try to change anything ;-) Whenever I send a form, it fails with: Access denied: POST requests need to send a secret token to prevent cross-site request forgery attacks.

Jaspersof - ERROR CsrfGuard, Could you help me with this? After installing jaspersoft and running the "load DWH [ICBC|admin] - potential (CSRF) attack thwarted  Owasp.CsrfGuard Properties message in Stdout Issue: Since installation of JasperReports Server 4.5 I find the following INFO level messages in my application server logging, how do I remove it:

User zefixlluja, This is exactly the same as this older question: Running jasperserver behind nginx: Potential CSRF attack. But I've tried both mitigations suggested, and it's still  Running jasperserver behind nginx: Potential CSRF attack. 250. Why is it common to put CSRF prevention tokens in cookies? 0. Are there CSRF attacks that don't use

nginx - Ошибка прокси-сервера JasperServer C44F, 10 Running jasperserver behind nginx: Potential CSRF attack · 6 Running jasperserver behind nginx: Potential CSRF attack · 5 Jersey server: Return a string  CsrfGuard error:required token is missing from the request A customer tries to access their JasperReports Server from behind a proxy or loadbalancer and find this

Comments
  • Same issue, but the resolutions here didn't work for me - I posted a new question so hopefully additional info will show up there: stackoverflow.com/questions/35691799/…
  • Do you mind sharing your nginx configuration. I am not sure where the problem is but jasperserver 6 aws AMI seems to make me pull my hair off.
  • I don't use jaspersoft anymore. From what I remember, nginx's default behavior is to remove underscores from HTTP headers. Therefore, my solution was to set Jaspersoft to read HTTP headers without the underscore.