Csrfguard behind a reverse proxy

Question

I have successfully installed CsrfGuard on my webapp but when tested on preprod behind the reverse proxy things got bad. CsrfGuard's javascript isValidDomain does not consider my domain as a valid one : CsrfGuard JavaScriptServlet returns the unproxied domain...

This is the javascript code:

if(isValidDomain(document.domain, "myRealDomain")) { … }

isValidDomain is just a string comparison method, the thing is : CsrfGuard JavaScriptServlet returns "myRealDomain" and the javascript code "document.domain" returns "myProxiedDomain" : string comparison fails!

I don't know what to do at that point and I would appreciate directions! I believe that some have met the problem before, reverse proxies seem quite common.

Answer 1

you could configure your proxy to add the headers X-Forwarded-By, X-Forwarded-For and X-Forwarded-Proto.

Your server behind the proxy could use these headers to reconstruct the original request (as performed on the proxy).

This way csrfguard servlet will use the correct domain to generate the script.

Configuration is of course different per proxy/application server, but here is an example for Nginx in combination with Tomcat:

example proxy config (Nginx):

### proxy headers ###
proxy_set_header        X-Forwarded-By          $server_addr:$server_port;
proxy_set_header        X-Forwarded-For         $remote_addr;
proxy_set_header        X-Forwarded-Proto       $scheme;

example application server (tomcat / RemoteIpValve):

<Valve
    className="org.apache.catalina.valves.RemoteIpValve"
    internalProxies="trusted-ip-here"
    remoteIpHeader="x-forwarded-for"
    proxiesHeader="x-forwarded-by"
    protocolHeader="x-forwarded-proto"
   />