Page 1 of 1

Apache proxy and CSRF protection

PostPosted: Mon Nov 21, 2016 4:43 pm
by rob.pumphrey
Hi,

I am trying to configure an OMERO instance (5.2.5 / ice 35) to run behind an Apache Proxy. I am unable to login to the app via the web and see the error.

Code: Select all
Go back to OMERO.web
Forbidden (403)
CSRF Error. You don't have permission to access this page on this server.


The setup is like this:

https://public.example.com - uses apache 2.4 & mod_proxy with
ProxyPass / https://private.example.com/
ProxyPassReverse / https://private.example.com/

https://private.example.com - uses apache 2.4 and wsgi to connect to OMERO.web

I am able to login to https://private.example.com
When I try to login to https://public.example.com, I see the CSRF error.

Other web apps we have on the same host operate, so I am happy that the proxing is operating correctly.

Relevant output from
./bin/omero config list
Code: Select all
jnlp.omero.host=myhostname.example.com
omero.web.application_server=wsgi
omero.web.application_server.host=public.example.com
omero.web.prefix=/omero
omero.web.static_url=/omero/static/


Any assistance in resolving this would be gratefully recieved.

Regards

Rob

Re: Apache proxy and CSRF protection

PostPosted: Mon Nov 21, 2016 5:00 pm
by atarkowska
Hi Rob,

I think it is missing https://www.openmicroscopy.org/site/sup ... arded-host, and remember about https://www.openmicroscopy.org/site/sup ... ssl-header

Here is entire Django chapter https://docs.djangoproject.com/en/1.8/r ... ssl-header if you need more background

Ola

Re: Apache proxy and CSRF protection

PostPosted: Thu Nov 24, 2016 11:50 am
by rob.pumphrey
Perfect, thank you.

setting
Code: Select all
omero.web.use_x_forwarded_host=true

has fixed the problem.