我已经在Windows的tomcat 8上安装了jasperserver。我想让用户通过NGinx作为反向代理来访问它。我已经安装了nginx并为jaspersoft创建了一个服务器文件。当我访问jaspersoft的URL时,一切看起来都很好。但是,一旦登录,我就会从“ https://$URL/flow.html?_flowId = searchFlow”重定向到“ https:// $ URL”。请参阅下面的配置和访问日志。
我已经在互联网上搜索了相关问题,但找不到解决方案。
这是我的nginx配置:
listen 80;
server_name jaspersoft-*.org;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name jaspersoft-*.org;
ssl on;
server_tokens off;
more_clear_headers Server;
ssl_certificate /etc/nginx/ssl/*.crt;
ssl_certificate_key /etc/nginx/ssl/*.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer";
add_header Feature-Policy "vibrate 'self'; usermedia *;";
location / {
proxy_pass https://*:9443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Request-Start $msec;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Ssl on;
proxy_hide_header X-AspNet-Version;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
proxy_read_timeout 600s;
}
}
请参阅Jaspersoft社区论坛上的这篇文章:https://community.jaspersoft.com/questions/1022641/apache-proxy-tomcat
通常可以通过tomcat日志中的诸如此类的消息来诊断问题:
2020-02-08T13:39:28,211 ERROR CsrfGuard,http-nio-8080-exec-8:45 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, method:POST, uri:/jasperserver/flow.html, error:required token is missing from the request)
原因是Jasper Server使用的OWASP CSRFGuard库。它找不到包含必需的CSRF保护令牌的请求标头,从而导致重定向回到登录页面,但是您已经登录,因此它重定向回到flow.html等。
显然,在Jaspersoft Server默认配置中,CSRFGuard令牌包含一个下划线,在最新版本的Apache和nginx代理中,该下划线被认为是无效的,并且已从HTTP标头中静默删除。在nginx中,underscores_in_headers中有一个有用的选项,但是我找不到Apache的类似选项。
解决方案是编辑名为/WEB-INF/csrf/jrs.csrfguard.properties的文件,并查找属性“ org.owasp.csrfguard.TokenName”。我的默认值为“ OWASP_CSRFTOKEN”。我将其更改为“ OWASPCSRFTOKEN”(没有下划线),它为我解决了问题:
org.owasp.csrfguard.TokenName=OWASPCSRFTOKEN
不要忘记以后重启Jaspersoft Server。