Apache OpenMeetings 4.0.4 CSRF attack when using apache2 as proxypass - csrf

I've got Apache OpenMeetings 4.0.4 witch Apache/2.2.22 as proxy.
In OM's conf/red5.properties I've got
http.port=8080
I want to do two things:
Redirect HTTP (80) -> HTTPS (443)
Redirect HTTP (8080) to HTTPS (443)
My /etc/apache2/sites-avilable/default conf is:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost *:8080>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
My /etc/apache2/sites-avilable/default-ssl conf is:
<VirtualHost *:443>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine On
SSLCerificateFile /etc/apache2/certs/collaboration.crt
SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>
When I type http://domain.test-test.eu/ it redirects me to https://domain.test-test.eu.
When I type http://192.168.XXX.YYY it redirects me to https://192.168.XXX.YYY
But when I type http://192.168.XXX.YYY:8080 or http://domain.test-test.eu:8080 it doesn't redirect me to https://192.168.XXX.YYY or https://domain.test-test.eu/. The page opens up (without HTTPS).
The second problem is, that in OM's log I can see CSRF info and I can't log in through HTTPS.
Info from OM's log:
[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request
How should I change Apache settings to make it work?

I'm afraid it would impossible to set up "Redirect HTTP (8080) to HTTPS (443)"
In case you are running OpenMeetings on port 8080, you can't use it for Apache and vise versa. Internet port should be exclusively used by OM or Apache, not both.
I would close port 8080 on FW level to deny direct access to OM. (and please remove rule for <VirtualHost *:8080> otherwise OM will fail to start with Port already in use message)
Now according to CSRF:
You need to modify conf/jee-container.xml and add following property
<property name="secure" value="true" />
To <!-- Tomcat without SSL enabled --> block right before <property name="connectionProperties">
This should fix your issue
BUT OpenMeetings will not work with this config ....
Cause you also need to proxy WebSockets ....
So you additionally need mod_rewrite and mod_proxy_wstunnel
then you need to add following section:
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
Additionally you might want to perform tunneling for your RTMP traffic, this will require special rules for open, send, idle and close
below is final configuration for Apache 2.4:
<VirtualHost *:443>
ServerName domain.test-test.eu
## Vhost docroot
DocumentRoot "/var/www/"
## Directories, there should at least be a declaration for /var/www/
<Directory "/var/www/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
ServerSignature Off
CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined
## SSL directives
SSLEngine on
SSLCertificateFile "/_certs_path_/domain.test-test.eu/fullchain.pem"
SSLCertificateKeyFile "/_certs_path_/domain.test-test.eu/privkey.pem"
SSLCACertificatePath "/_CA_certs_path_"
### OpenMeetings ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On
<Location /openmeetings>
Require all granted
ProxyPass http://localhost:5080/openmeetings
ProxyPassReverse http://localhost:5080/openmeetings
RewriteEngine On
RewriteRule ^/(.*) http://localhost:5080/$1 [P]
</Location>
<Location /open>
Require all granted
ProxyPass http://localhost:5080/open
ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
Require all granted
ProxyPass http://localhost:5080/send
ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
Require all granted
ProxyPass http://localhost:5080/idle
ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
Require all granted
ProxyPass http://localhost:5080/close
ProxyPassReverse http://localhost:5080/close
</Location>
</VirtualHost>
Work for me as expected :)

In 'default' file I have:
<VirtualHost *:80>
ServerName domain.test-test.eu
ServerAlias domain.test-test.eu
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
So when smb type http://domain.test-test.eu it'll redirect it to https://domain.test-test.eu
My 'default-ssl' file is almost exact as Yours (I'm using 8080/tcp for OM). And I'm using selfsigned certificated for OM (for now they're not signed for CN=domain.test-test.eu but for CN=testname.eu - I'll change it after OM will works).
Unfortunatly this config doesn't work. I can see two black dots speening around. May it be because of outdated browsers (FF has version 52.4.1 and Chromium 51.0.2704.79) or wrong site certificate?

The apache's config given by Maxim is working. Thank you Maxim!

Related

Getting Error 400 Bad Request Error when trying to load non-www website

I'm using Apache2. My server's website (Linode) loads normally only if I include the www.[name].com link. If I use [name].com without the www, I actually receive a page, but it reads the 400 Bad Request Error. Here is my etc/apache2/sites-available files:
website.conf
<VirtualHost *:80>
ServerName website.com
ServerAlias www.website.com
Redirect 301 / https://www.website.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =website.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Here is my website-le-ssl.conf file (for HTTPS/SSL):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.website.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/name/website/static
<Directory /home/name/website/static>
Require all granted
</Directory>
Alias /media /home/name/website/media
<Directory /home/name/website/media>
Require all granted
</Directory>
<Directory /home/name/website/website>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIScriptAlias / /home/name/website/website/wsgi.py
WSGIDaemonProcess django_app python-path=/home/name/website/ python-home=/home/name/website/venv
WSGIProcessGroup django_app
SSLCertificateFile /etc/letsencrypt/live/name.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/name.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
In addition, I do not use .htaccess file, I do not use any other redirect file, and I have already enabled the a2enmod rewrite module. This site sometimes works without the non-www, but there are brief periods of time where it doesn't work and I'm confused as to why it acts this way. Is there a way to get Apache2 to redirect from non-www addresses to www addresses, and how do I make the redirect work ALL the time. Thank you!
Things tried:
I've tried using the RewriteEngine and mod_rewrite on the .htaccess file and I've tried completely restoring everything to default and reconfiguring it all from scratch and tutorials.

Apache HTTPS Reverse Proxy URL Redirection

I've a node application running on 3001 port. For HTTP to HTTPS, I've configured apache virtual host with reverse proxy and it is working fine. Now I need to redirect
http://nodeapp.mydomain.com to https://nodeapp.mydomain.com and http://nodeapp.mydomain.com:3001 to https://nodeapp.mydomain.com and http://100.100.100.100:3001 to https://nodeapp.mydomain.com
Can anyone please help me how to achieve it using virtual host configuration instead of writing a .htaccess file?
<VirtualHost *:443>
ServerAdmin admin#mydomain.com
ServerName nodeapp.mydomain.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://100.100.100.100:3001/
ProxyPassReverse / http://100.100.100.100:3001/
ErrorLog "/var/log/httpd/mydomain.com-error_log"
CustomLog "/var/log/httpd/mydomain.com-access_log" common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/nodeapp_mydomain_com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/nodeapp_mydomain_com.key
</VirtualHost>
To redirect http://nodeapp.mydomain.com to https://nodeapp.mydomain.com, add these lines to the virtual host configuration:
<VirtualHost *:80>
ServerName nodeapp.mydomain.com
Redirect Permanent / https://nodeapp.mydomain.com/
RewriteEngine on
RewriteCond %{SERVER_NAME} =nodeapp.mydomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
You can copy paste the same code to the conf file, and modify the corresponding domains/subdomains there.

Reset project directory of apache web server virtual host having let's encrypt ssl certificate installed

I have a website www.example.com that is hosted on apache2 web server in /var/www/example.com directory and the virtual host config file is
<VirtualHost *:80>
ServerAdmin admin#gmail.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public
<Directory /var/www/example.com/public/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml >
</IfModule>
</VirtualHost>
I have installed let's encrypt certificate for this domain.
Now I have to change configuration settings and the config file should be like this:
<VirtualHost *:80>
ServerAdmin admin#gmail.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/dist //here is the change
<Directory /var/www/example.com/dist/> //here is the change
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml >
</IfModule>
</VirtualHost>
I have edited the config file and ran command certbot --apache -d example.com -d www.example.com.
Chose reinstall and renew both options and the installation was successful in both cases. But when I go to example.com then it shows 404 error.
How can I solve my problem?
HTTPS uses port 443, not port 80. Port 443 is closed. You need to add a new virtual host to handle HTTPS request
<VirtualHost *:443>
ServerName example.com
#ServerAlias www.example.com
ServerAdmin admin#gmail.com
DocumentRoot /var/www/example.com/dist
LogLevel debug ssl:info
SSLEngine on
SSLCertificateFile /path/to/yout/cert
SSLCertificateKeyFile //path/to/yout/key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
If you check ports.conf under /etc/apache2, you will see this:
<IfModule ssl_module>
Listen 443
</IfModule>
Apache2 will open port 443 when the SSL module is enabled. So remember to run:
sudo a2dismod ssl
sudo systemctl restart apache2

Why am I getting Websocket Error in WebRTC Conference?

I trying AntMedia EE trial
I am using the WebRTC demo located in
https://ant.techrova.in/LiveApp/conference.html
(The inbuilt demo)
The join room is disabled and I check the console
I m getting these error
WebSocket connection to 'wss://ant.techrova.in/LiveApp/websocket'
failed: Error during WebSocket handshake: Unexpected response code:
404
dont know how to fix it ?
This is my apache proxy config
for http
<VirtualHost *:80>
ServerName ant.techrova.in
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5080/
ProxyPassReverse / http://127.0.0.1:5080/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =ant.techrova.in
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
for https
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ant.techrova.in
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5080/
ProxyPassReverse / http://127.0.0.1:5080/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/ant.techrova.in/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ant.techrova.in/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
====================
Please help to resolve this issue
Please enable the following modules:
a2enmod proxy proxy_http proxy_wstunnel
Add the following lines in your conf file.
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:5080/$1 [P,L]
ProxyPass / http://localhost:5080/
ProxyPassReverse / http://localhost:5080/
After that restart the apache2 services as below:
systemctl restart apache2

How to install erpnext using Apache?

I have installed/host erpnext app using Nginx config.
With the same config I tried to do it using Apache server but it is not working.
Did any one tried this before?
This is my currently working configuration (Apache 2.4 with Let's encrpyt SSL).
Socket.io was the main problem, finally I found a way to make it work (transport=polling requests to /socket.io must be http, all other requests to /socket.io must be websocket).
<VirtualHost *:443>
ServerAdmin erpnext#example.com
ServerName erpnext.example.com
DocumentRoot /home/frappe/frappe-bench/sites/erpnext.example.com/
ProxyPreserveHost On
ProxyRequests Off
ProxyTimeout 120
ProxyPass "/.well-known/" "!"
ProxyPass "/AutoDiscover/" "!"
ProxyPass "/mail/" "!"
ProxyPass "/cgi-bin/" "!"
ProxyPass "/assets/" "!"
ProxyPass "/files/" "!"
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=polling [NC]
RewriteRule /(.*) http://localhost:9000/socket.io/$1 [P,L]
RequestHeader set Host "erpnext.example.com"
RequestHeader set X-Frappe-Site-Name "erpnext.example.com"
ProxyPass "/socket.io" "ws://localhost:9000/socket.io/"
ProxyPassReverse "/socket.io" "ws://localhost:9000/socket.io/"
<Location "/socket.io">
RequestHeader set X-Frappe-Site-Name "erpnext.example.com"
</Location>
Alias "/assets" "/home/frappe/frappe-bench/sites/assets"
<Directory /home/frappe/frappe-bench/sites/assets>
Options FollowSymLinks
Require all granted
</Directory>
Alias "/files" "/home/frappe/frappe-bench/sites/erpnext.example.com/public/files"
<Directory /home/frappe/frappe-bench/sites/erpnext.example.com/public/files>
Options FollowSymLinks
Require all granted
</Directory>
ProxyPass "/" "http://localhost:8000/"
ProxyPassReverse "/" "http://localhost:8000/"
<Location "/">
RequestHeader set X-Frappe-Site-Name "erpnext.example.com"
</Location>
SSLCertificateFile /etc/letsencrypt/live/erpnext.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/erpnext.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>