使用 apache2 作为 proxypass 时 Apache OpenMeetings 4.0.4 CSRF 攻击
Apache OpenMeetings 4.0.4 CSRF attack when using apache2 as proxypass
我有 Apache OpenMeetings 4.0.4 Apache/2.2.22 作为代理。
在 OM 的 conf/red5.properties 我有
http.port=8080
我想做两件事:
重定向 HTTP (80) -> HTTPS (443)
将 HTTP (8080) 重定向到 HTTPS (443)
我的 /etc/apache2/sites-avilable/default 配置文件是:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:8080>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
我的 /etc/apache2/sites-avilable/default-ssl 配置文件是:
<VirtualHost *:443>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine On
SSLCerificateFile /etc/apache2/certs/collaboration.crt
SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>
当我输入 http://domain.test-test.eu/ it redirects me to https://domain.test-test.eu.
当我输入 http://192.168.XXX.YYY it redirects me to https://192.168.XXX.YYY
但是当我输入 http://192.168.XXX.YYY:8080 or http://domain.test-test.eu:8080 it doesn't redirect me to https://192.168.XXX.YYY or https://domain.test-test.eu/ 时。页面打开(没有 HTTPS)。
第二个问题是,在OM的日志中我可以看到CSRF信息,但我无法通过HTTPS登录。
来自 OM 日志的信息:
[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request
我应该如何更改 Apache 设置以使其正常工作?
恐怕无法设置"Redirect HTTP (8080) to HTTPS (443)"
如果您是 运行 端口 8080 上的 OpenMeetings,则不能将其用于 Apache,反之亦然。 Internet 端口应由 OM 或 Apache 独占使用,不能同时使用。
我会在固件级别关闭端口 8080 以拒绝直接访问 OM。 (请删除 <VirtualHost *:8080> 的规则,否则 OM 将无法以 Port already in use 消息开头)
现在根据 CSRF:
您需要修改conf/jee-container.xml并添加以下内容属性
<property name="secure" value="true" />
在<property name="connectionProperties">
之前阻止<!-- Tomcat without SSL enabled -->
这应该可以解决您的问题
但 OpenMeetings 不适用于此配置....
因为您还需要代理 WebSockets ....
所以你还需要 mod_rewrite 和 mod_proxy_wstunnel
那么您需要添加以下部分:
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/ [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
此外,您可能希望为您的 RTMP 流量执行隧道,这将需要针对 open, send, idle and close
的特殊规则
以下是 Apache 2.4 的最终配置:
<VirtualHost *:443>
ServerName domain.test-test.eu
## Vhost docroot
DocumentRoot "/var/www/"
## Directories, there should at least be a declaration for /var/www/
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
ServerSignature Off
CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/_certs_path_/domain.test-test.eu/fullchain.pem"
SSLCertificateKeyFile "/_certs_path_/domain.test-test.eu/privkey.pem"
SSLCACertificatePath "/_CA_certs_path_"
### OpenMeetings ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/ [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On
<Location /openmeetings>
Require all granted
ProxyPass http://localhost:5080/openmeetings
ProxyPassReverse http://localhost:5080/openmeetings
RewriteEngine On
RewriteRule ^/(.*) http://localhost:5080/ [P]
</Location>
<Location /open>
Require all granted
ProxyPass http://localhost:5080/open
ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
Require all granted
ProxyPass http://localhost:5080/send
ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
Require all granted
ProxyPass http://localhost:5080/idle
ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
Require all granted
ProxyPass http://localhost:5080/close
ProxyPassReverse http://localhost:5080/close
</Location>
</VirtualHost>
按预期为我工作:)
在 'default' 文件中我有:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
所以当 smb 输入 http://domain.test-test.eu it'll redirect it to https://domain.test-test.eu
我的 'default-ssl' 文件几乎和你的完全一样(我为 OM 使用 8080/tcp)。我正在为 OM 使用自签名认证(目前他们没有为 CN=domain.test-test.eu 签名,但为 CN=testname.eu 签名 - 我会在 OM 工作后更改它).
不幸的是,这个配置不起作用。我可以看到两个黑点在四处乱窜。可能是因为过时的浏览器(FF 有版本 52.4.1 和 Chromium 51.0.2704.79)或错误的站点证书?
Maxim 提供的 apache 配置有效。谢谢马克西姆!
我有 Apache OpenMeetings 4.0.4 Apache/2.2.22 作为代理。
在 OM 的 conf/red5.properties 我有
http.port=8080
我想做两件事:
重定向 HTTP (80) -> HTTPS (443)
将 HTTP (8080) 重定向到 HTTPS (443)
我的 /etc/apache2/sites-avilable/default 配置文件是:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:8080>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
我的 /etc/apache2/sites-avilable/default-ssl 配置文件是:
<VirtualHost *:443>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine On
SSLCerificateFile /etc/apache2/certs/collaboration.crt
SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>
当我输入 http://domain.test-test.eu/ it redirects me to https://domain.test-test.eu.
当我输入 http://192.168.XXX.YYY it redirects me to https://192.168.XXX.YYY
但是当我输入 http://192.168.XXX.YYY:8080 or http://domain.test-test.eu:8080 it doesn't redirect me to https://192.168.XXX.YYY or https://domain.test-test.eu/ 时。页面打开(没有 HTTPS)。
第二个问题是,在OM的日志中我可以看到CSRF信息,但我无法通过HTTPS登录。
来自 OM 日志的信息:
[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request
我应该如何更改 Apache 设置以使其正常工作?
恐怕无法设置"Redirect HTTP (8080) to HTTPS (443)"
如果您是 运行 端口 8080 上的 OpenMeetings,则不能将其用于 Apache,反之亦然。 Internet 端口应由 OM 或 Apache 独占使用,不能同时使用。
我会在固件级别关闭端口 8080 以拒绝直接访问 OM。 (请删除 <VirtualHost *:8080> 的规则,否则 OM 将无法以 Port already in use 消息开头)
现在根据 CSRF:
您需要修改conf/jee-container.xml并添加以下内容属性
<property name="secure" value="true" />
在<property name="connectionProperties">
<!-- Tomcat without SSL enabled -->
这应该可以解决您的问题
但 OpenMeetings 不适用于此配置....
因为您还需要代理 WebSockets ....
所以你还需要 mod_rewrite 和 mod_proxy_wstunnel
那么您需要添加以下部分:
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/ [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
此外,您可能希望为您的 RTMP 流量执行隧道,这将需要针对 open, send, idle and close
以下是 Apache 2.4 的最终配置:
<VirtualHost *:443>
ServerName domain.test-test.eu
## Vhost docroot
DocumentRoot "/var/www/"
## Directories, there should at least be a declaration for /var/www/
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
ServerSignature Off
CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/_certs_path_/domain.test-test.eu/fullchain.pem"
SSLCertificateKeyFile "/_certs_path_/domain.test-test.eu/privkey.pem"
SSLCACertificatePath "/_CA_certs_path_"
### OpenMeetings ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/ [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On
<Location /openmeetings>
Require all granted
ProxyPass http://localhost:5080/openmeetings
ProxyPassReverse http://localhost:5080/openmeetings
RewriteEngine On
RewriteRule ^/(.*) http://localhost:5080/ [P]
</Location>
<Location /open>
Require all granted
ProxyPass http://localhost:5080/open
ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
Require all granted
ProxyPass http://localhost:5080/send
ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
Require all granted
ProxyPass http://localhost:5080/idle
ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
Require all granted
ProxyPass http://localhost:5080/close
ProxyPassReverse http://localhost:5080/close
</Location>
</VirtualHost>
按预期为我工作:)
在 'default' 文件中我有:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
所以当 smb 输入 http://domain.test-test.eu it'll redirect it to https://domain.test-test.eu
我的 'default-ssl' 文件几乎和你的完全一样(我为 OM 使用 8080/tcp)。我正在为 OM 使用自签名认证(目前他们没有为 CN=domain.test-test.eu 签名,但为 CN=testname.eu 签名 - 我会在 OM 工作后更改它).
不幸的是,这个配置不起作用。我可以看到两个黑点在四处乱窜。可能是因为过时的浏览器(FF 有版本 52.4.1 和 Chromium 51.0.2704.79)或错误的站点证书?
Maxim 提供的 apache 配置有效。谢谢马克西姆!