checkOrigin: originHost '...' does not match hosts '<Host>'

Classic Servoy
1

Hallo together,

looks like my warning in the Log
checkOrigin: originHost ‘…’ does not match hosts ‘’
comes from this new feature
NGClient SVY-13612 implement GetHttpSessionConfigurator.checkOrigin(header)

We are using an apache2 for loadballancing and forwarding the packages to a Tomcat 9 servers.

We updated the Test-System to 2019.9 and now we are getting the mentioned warning.
This leads us to a 403 when we try to connect the Tomcat 9 via the loadbalancer apache2 url.
Both do have different URLs and apache is forwoarding via mod_proxy and other modules for ws tunnel and so on.

I guess I am missing a configuration needed for that type of setup.
But I am not able to find any hint - what that new filter does.

Found a hint at
https://is.us.dell.com/docs/config/filt … ORS_Filter
in section CORS Filter

CorsFilter
org.apache.catalina.filters.CorsFilter


CorsFilter
/*

but that config suppress only the warning written to the log file at Servoy App - but 403 is still present, when request by loadbalancer URL.

Looks like it is more related to something - link
https://github.com/Servoy/sablo/commit/ … 3291c5b8e3

but I am not sure where to find a config example I am able to work with and get an understanding of the topic.

Any help realy appreciated.

Thanks a lot in advanced.

vhost - balancer file fragment:
“…” are placeholder for the real config path information
<VirtualHost *:443>
ServerName …
ServerAdmin …
ErrorLog …
TransferLog …
CustomLog … ssl_combined

SSLProxyEngine on
SSLEngine on

SSLCertificateFile …
SSLCertificateKeyFile …
SSLCertificateChainFile …
ProxyRequests off
<Proxy balancer://myclusterTest/>
BalancerMember “…” route=…
Require all granted

<Proxy balancer://myclusterWssTest/>
BalancerMember “wss://…” route=…
Require all granted

<Location /balancer-manager>
SetHandler balancer-manager

Header add Set-Cookie “ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/” env=BALANCER_ROUTE_CHANGED
ProxyPass /balancer-manager !
ProxyPass /servoy_8/servoy-admin !
ProxyPass /servoy_8/servoy-admin/ !
<LocationMatch “^/servoy_8/websocket/.*”>
ProxyPass “balancer://myclusterWssTest/” stickysession=ROUTEID

<LocationMatch “^/$”>
Require all denied

ProxyPass “/” “balancer://myclusterTest/” stickysession=ROUTEID
<Directory “/srv/www/vm-l-servoy-lb_ssl/htdocs”>
Require all granted

2

Hi,

What does your Apache vhost config look like?

For example, do you have the following line in there?

ProxyPreserveHost On

For more info on this:
https://httpd.apache.org/docs/current/m … eservehost

Hope this helps

3

Great, it works

ProxyPreserveHost On

solved it.

Thanks a lot :-)

4

A proxy should always pass the Host header, so ‘ProxyPreserveHost On’ is the best setting.

For cases where you do not have control over the proxyserver, the websocket checkOrigin security check can be disabled on the Servoy admin page.

Rob