使用apache2作为proxypass时的Apache OpenMeetings 4.0.4 CSRF攻击

时间:2018-08-07 08:03:11

标签: csrf apache2.2 openmeetings

我已经将Apache OpenMeetings 4.0.4女巫Apache / 2.2.22作为代理。

在OM的conf / red5.properties中,

http.port=8080

我想做两件事:

  1. 重定向HTTP(80)-> HTTPS(443)

  2. 将HTTP(8080)重定向到HTTPS(443)

我的/ etc / apache2 / sites-avilable / default conf是:

<VirtualHost *:80>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:8080>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

我的/ etc / apache2 / sites-avilable / default-ssl conf是:

<VirtualHost *:443>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    SSLEngine On
    SSLCerificateFile /etc/apache2/certs/collaboration.crt
    SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
    SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>

当我输入http://domain.test-test.eu/时,它会将我重定向到https://domain.test-test.eu

当我输入http://192.168.XXX.YYY时,它会将我重定向到https://192.168.XXX.YYY

但是,当我输入http://192.168.XXX.YYY:8080http://domain.test-test.eu:8080时,它不会将我重定向到https://192.168.XXX.YYYhttps://domain.test-test.eu/。页面打开(没有HTTPS)。

第二个问题是,在OM的日志中,我可以看到CSRF信息,而无法通过HTTPS登录。

OM日志中的信息:

[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request

我应该如何更改Apache设置以使其正常工作?

3 个答案:

答案 0 :(得分:1)

恐怕无法设置“将HTTP(8080)重定向到HTTPS(443)”

如果您在端口8080上运行OpenMeetings,则不能将其用于Apache,反之亦然。互联网端口应由OM或Apache专用,而不能同时使用。

我将关闭FW级别的端口8080,以拒绝直接访问OM。 (并且请删除<VirtualHost *:8080>的规则,否则OM将无法以Port already in use消息开头)

现在根据CSRF:

您需要修改conf/jee-container.xml并添加以下属性

<property name="secure" value="true" />

要在<!-- Tomcat without SSL enabled -->之前<property name="connectionProperties">阻止

这应该可以解决您的问题

但是OpenMeetings不适用于此配置....

因为您还需要代理WebSockets...。

因此,您还需要mod_rewrite和mod_proxy_wstunnel

然后您需要添加以下部分:

RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings

另外,您可能想对RTMP流量执行隧道传输,这将需要针对open, send, idle and close的特殊规则

以下是Apache 2.4的最终配置:

<VirtualHost *:443>
  ServerName domain.test-test.eu

  ## Vhost docroot
  DocumentRoot "/var/www/"

  ## Directories, there should at least be a declaration for /var/www/

  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/_certs_path_/domain.test-test.eu/fullchain.pem"
  SSLCertificateKeyFile   "/_certs_path_/domain.test-test.eu/privkey.pem"
  SSLCACertificatePath    "/_CA_certs_path_"

###      OpenMeetings    ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On

<Location /openmeetings>
  Require all granted      
  ProxyPass http://localhost:5080/openmeetings
  ProxyPassReverse http://localhost:5080/openmeetings
  RewriteEngine On
  RewriteRule ^/(.*) http://localhost:5080/$1 [P]
</Location>
<Location /open>
  Require all granted
  ProxyPass http://localhost:5080/open
  ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
  Require all granted
  ProxyPass http://localhost:5080/send
  ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
  Require all granted
  ProxyPass http://localhost:5080/idle
  ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
  Require all granted
  ProxyPass http://localhost:5080/close
  ProxyPassReverse http://localhost:5080/close
</Location>

</VirtualHost>

按预期为我工作:)

答案 1 :(得分:0)

在“默认”文件中,我有:

<VirtualHost *:80>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

因此,当smb输入http://domain.test-test.eu时,它将重定向到https://domain.test-test.eu

我的'default-ssl'文件几乎与您的文件完全一样(我使用OM的8080 / tcp)。而且我正在使用针对OM的自签名证书(目前,它们尚未针对CN = domain.test-test.eu进行签名,而是针对CN = testname.eu进行了签名-我将在OM生效后对其进行更改)。

不幸的是,此配置不起作用。我可以看到周围有两个黑点。可能是由于浏览器过时(FF的版本为52.4.1和Chromium 51.0.2704.79)还是错误的站点证书?

答案 2 :(得分:0)

Maxim给出的apache配置正在运行。谢谢马克西姆!