tomcatjasperservernginx-reverse-proxyredirect-loop

Redirect loop while logged in to jaspersoft


I have installed jasperserver on tomcat 8 on Windows. I want to let user access this via NGinx as reverse proxy. I have installed nginx and created a serverfile for jaspersoft. Everything looks fine when I access the URL of jaspersoft. But as soon as I am logged in I am being redirected from "https://$URL/flow.html?_flowId=searchFlow" to "https://$URL". See configuration and access log below.

I have searched on the internet for related issues but cannot find a solution for this.

This is my nginx configuration:

listen 80;
server_name jaspersoft-*.org;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl http2;
server_name jaspersoft-*.org;
ssl on;
server_tokens off;
more_clear_headers Server;

ssl_certificate         /etc/nginx/ssl/*.crt;
ssl_certificate_key     /etc/nginx/ssl/*.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer";
add_header Feature-Policy "vibrate 'self'; usermedia *;";

location / {
proxy_pass https://*:9443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Ssl on;
proxy_hide_header X-AspNet-Version;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
proxy_read_timeout 600s;
}
}

Solution

  • See this post to Jaspersoft Community forum: https://community.jaspersoft.com/questions/1022641/apache-proxy-tomcat

    Typically the problem can be diagnosed by messages such as this in tomcat logs:

    2020-02-08T13:39:28,211 ERROR CsrfGuard,http-nio-8080-exec-8:45 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, method:POST, uri:/jasperserver/flow.html, error:required token is missing from the request)
    

    The cause is OWASP CSRFGuard library used by Jasper Server. It can't find a request header that contains a required CSRF protection token, causing a redirect back to login page, however you are already logged in so it redirects back to flow.html etc.

    Apparently, in Jaspersoft Server default configuration, CSRFGuard token contains an underscore, which in recent versions of Apache and nginx proxy is considered to be invalid and silently dropped from HTTP headers. In nginx there is a helpful option underscores_in_headers, but I was unable to find a similar option for Apache.

    The solution is to edit the file named /WEB-INF/csrf/jrs.csrfguard.properties and look for property "org.owasp.csrfguard.TokenName". Default value for me was "OWASP_CSRFTOKEN". I changed it to "OWASPCSRFTOKEN" (without underscore) and it fixed the problem for me:

    org.owasp.csrfguard.TokenName=OWASPCSRFTOKEN
    

    Don't forget to restart Jaspersoft Server afterwards.