checkOrigin: originHost '...' does not match hosts '<Host>'

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

checkOrigin: originHost '...' does not match hosts '<Host>'

Postby v.weimer » Thu Nov 21, 2019 11:05 am

Hallo together,

looks like my warning in the Log
checkOrigin: originHost '...' does not match hosts '<Host>'
comes from this new feature
NGClient SVY-13612 implement GetHttpSessionConfigurator.checkOrigin(header)

We are using an apache2 for loadballancing and forwarding the packages to a Tomcat 9 servers.

We updated the Test-System to 2019.9 and now we are getting the mentioned warning.
This leads us to a 403 when we try to connect the Tomcat 9 via the loadbalancer apache2 url.
Both do have different URLs and apache is forwoarding via mod_proxy and other modules for ws tunnel and so on.

I guess I am missing a configuration needed for that type of setup.
But I am not able to find any hint - what that new filter does.

Found a hint at
https://is.us.dell.com/docs/config/filt ... ORS_Filter
in section CORS Filter
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
but that config suppress only the warning written to the log file at Servoy App - but 403 is still present, when request by loadbalancer URL.

Looks like it is more related to something - link
https://github.com/Servoy/sablo/commit/ ... 3291c5b8e3

but I am not sure where to find a config example I am able to work with and get an understanding of the topic.

Any help realy appreciated.

Thanks a lot in advanced.

vhost - balancer file fragment:
"..." are placeholder for the real config path information
<VirtualHost *:443>
ServerName ...
ServerAdmin ...
ErrorLog ...
TransferLog ...
CustomLog ... ssl_combined

SSLProxyEngine on
SSLEngine on

SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCertificateChainFile ...
ProxyRequests off
<Proxy balancer://myclusterTest/>
BalancerMember "..." route=...
Require all granted
</Proxy>
<Proxy balancer://myclusterWssTest/>
BalancerMember "wss://..." route=...
Require all granted
</Proxy>
<Location /balancer-manager>
SetHandler balancer-manager
</Location>
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED
ProxyPass /balancer-manager !
ProxyPass /servoy_8/servoy-admin !
ProxyPass /servoy_8/servoy-admin/ !
<LocationMatch "^/servoy_8/websocket/.*">
ProxyPass "balancer://myclusterWssTest/" stickysession=ROUTEID
</LocationMatch>
<LocationMatch "^/$">
Require all denied
</LocationMatch>
ProxyPass "/" "balancer://myclusterTest/" stickysession=ROUTEID
<Directory "/srv/www/vm-l-servoy-lb_ssl/htdocs">
Require all granted
</Directory>
</VirtualHost>
Last edited by v.weimer on Thu Nov 21, 2019 4:57 pm, edited 1 time in total.
v.weimer
 
Posts: 14
Joined: Mon Sep 05, 2016 8:04 am

Re: checkOrigin: originHost '...' does not match hosts '<Hos

Postby ROCLASI » Thu Nov 21, 2019 4:35 pm

Hi,

What does your Apache vhost config look like?

For example, do you have the following line in there?
Code: Select all
ProxyPreserveHost On

For more info on this:
https://httpd.apache.org/docs/current/m ... eservehost

Hope this helps
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Twitter: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5385
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: checkOrigin: originHost '...' does not match hosts '<Hos

Postby v.weimer » Thu Nov 21, 2019 5:17 pm

Great, it works

ProxyPreserveHost On

solved it.

Thanks a lot :-)
v.weimer
 
Posts: 14
Joined: Mon Sep 05, 2016 8:04 am

Re: checkOrigin: originHost '...' does not match hosts '<Hos

Postby rgansevles » Fri Nov 22, 2019 12:04 pm

A proxy should always pass the Host header, so 'ProxyPreserveHost On' is the best setting.

For cases where you do not have control over the proxyserver, the websocket checkOrigin security check can be disabled on the Servoy admin page.

Rob
Rob Gansevles
Servoy
User avatar
rgansevles
 
Posts: 1907
Joined: Wed Nov 15, 2006 6:17 pm
Location: Amersfoort, NL


Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 1 guest