我正在使用Nginx作为Spring启动应用程序的反向代理。我还使用带有sockjs和stomp消息的Websockets。
以下是上下文配置。
<websocket:message-broker application-destination-prefix="/app">
<websocket:stomp-endpoint path="/localization" >
<websocket:sockjs/>
</websocket:stomp-endpoint>
<websocket:simple-broker prefix="/topic" />
</websocket:message-broker>
以下是客户端代码:
var socket = new SockJS(entryPointUrl);
var stompClient = Stomp.over(socket);
var _this = this;
stompClient.connect({}, function () {
stompClient.subscribe('/app/some-url', function (message) {
// do some stuff
});
});
我也是Spring Security来保护一些内容。
@Configuration
@Order(4)
public static class FrontendSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/js/**", "/css/**", "/webjars/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.logout().permitAll();
}
}
当我在Nginx反向代理后面运行此应用程序时,一切都很有效。这是相反的配置:
proxy_pass http://testsysten:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
# Max body size
client_max_body_size 10M;
连接总是因HTTP 403代码而失败。
我使用的是1.9.7版本。
您有任何想法,为什么客户端未经过身份验证?
我知道类似的问题,例如this one,但解决方案根本不起作用。
我设法通过HTTP运行应用程序。我需要在Nginx配置中传递CSRF令牌。新配置是:
proxy_pass http://testsysten:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Pass the csrf token (see https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery)
# Default in Spring Boot
proxy_pass_header X-XSRF-TOKEN;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
仅丢失是通过HTTPS重定向。在Spring日志中可以看到以下条目:
o.s.w.s.s.t.h.DefaultSockJsService - Processing transport request: GET http://testsystem:80/localization/226/3mbmu212/websocket
似乎Nginx Proxy需要重写到正确的端口。
答案 0 :(得分:7)
我自己解决了这个问题。基本上,如果要使用Websocket和Spring Security,Nginx需要传递一些额外的标头值。需要将以下行添加到Nginx配置中的location部分:
# Pass the csrf token (see https://de.wikipedia.org/wiki/Cross-Site-Request-Forgery)
# Default in Spring Boot and required. Without it nginx suppresses the value
proxy_pass_header X-XSRF-TOKEN;
# Set origin to the real instance, otherwise a of Spring security check will fail
# Same value as defined in proxy_pass
proxy_set_header Origin "http://testsysten:8080";
答案 1 :(得分:2)
虽然我使用的是非常经典的HTTPS配置,但已接受的解决方案对我不起作用:
server {
listen 443 ssl;
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8888;
}
...
问题是Spring会检查原点,特别是代码导致我遇到麻烦:
// in org.springframework.web.util.UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders):
if ((this.scheme.equals("http") && "80".equals(this.port)) ||
(this.scheme.equals("https") && "443".equals(this.port))) {
this.port = null;
}
在该代码中,该方案为“http”,端口为8888,由于它不是标准端口,因此不会被丢弃。
然而浏览器点击https://myserver/并且省略了443端口,因为它是默认的HTTPS端口。
因此端口不匹配(空!= 8888)并且原点检查失败。
您可以在Spring WebSockets中禁用原始检查:
registry.addHandler( resgisterHandler(), "/ws" ).setAllowedOrigins( "*" );
或(可能更安全)您可以将方案和端口添加到NGINX代理配置中:
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
如果您有兴趣,可以在
中阅读这些标题org.springframework.web.util.UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders)
答案 2 :(得分:0)
我遇到过类似的问题。我无法使用NGINX的基本Spring Security身份验证。除了设置proxy_pass_header X-XSRF-TOKEN;之外,我还必须设置underscores_in_headers on;,因为默认情况下NGINX不允许带下划线的标头,并且CSRF令牌被命名为_csrf。
所以我的最终配置文件如下所示:
server {
underscores_in_headers on;
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
# Make site accessible from http://localhost/
server_name localhost;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /example/ {
proxy_pass_header X-XSRF-TOKEN;
proxy_pass http://localhost:8080/;
}
}
答案 3 :(得分:0)
我在NGINX代理中没有CSRF头解决了这个问题。
我的堆栈:spring-boot,spring-security(使用redis会话存储),spring-boot-websocket with default STOMP implementation,NGINX用于服务前端,代理到前端消费的其他服务。
我第一次使用default configuration show in the NGINX Blog here和此处(复制并粘贴历史记录):
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 192.168.100.10:8010;
}
server {
listen 8020;
location / {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}
但是不行,仍然是403 Forbidden。
我使用下面的配置解决了这个问题(修复websocket真正重要的部分是#WebSocket Proxy ):
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 30010;
server_name localhost;
client_max_body_size 10M;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# Backend API Proxy
location /api {
proxy_pass http://192.168.0.100:30080;
proxy_set_header Host $http_host;
proxy_set_header Access-Control-Allow-Origin 192.168.0.100;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
rewrite ^/api/?(.*) /$1 break;
proxy_redirect off;
}
# CDN Proxy
location ~ ^/cdn/(.*) {
proxy_pass http://192.168.0.110:9000;
rewrite ^/cdn/(.*) /$1 break;
}
# This is the configuration that fix the problem with WebSocket
# WebSocket Proxy
location /ws {
proxy_pass http://192.168.0.120:30090;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header Access-Control-Allow-Origin 192.168.0.120;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
}
}
}