Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request origin does not match request base_url #22965

Closed
tpbowden opened this issue Jan 7, 2016 · 34 comments
Closed

Request origin does not match request base_url #22965

tpbowden opened this issue Jan 7, 2016 · 34 comments
Labels
actionpack routing

Comments

@tpbowden
Copy link

tpbowden commented Jan 7, 2016

I am running the Rails 5.0.0 beta1 and after deploying to production have noticed something odd. My application is running being an Nginx reverse proxy which decrypts SSL.

Every time I try to submit a form, a ActionController::InvalidAuthenticityToken is raised. I have managed to narrow this down to line 399 in ActionController. The problem is that the request origin has https:// as the protocol and the request base_url has http:// as the protocol.

I have tried setting the X-Forwarded-Proto header and using config.force_ssl = true but neither made any difference.

I have not yet figured out a way to isolate a failing test case but am happy to look into it if anyone has any suggestions.
@tpbowden
Copy link
Author

tpbowden commented Jan 8, 2016

Fix by adding more headers in Nginx (X-Forwarded-Ssl on, X-Forwarded-Port 443 and X-Forwarded-Host hostname)

@tpbowden tpbowden closed this as completed Jan 8, 2016
@afair
Copy link
Contributor

afair commented Jan 19, 2016

I also ran into this issue. I'll describe it differently to help with future searches.

Submission of any form to Nginx proxying to a Puma unix socket running a Rails 5.0.0.beta1 app responds with:

Can't verify CSRF token authenticity

and throws:

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)

even though the App's CSRF is set up correctly. The app works in development (puma or thin, without Nginx), and worked in Nginx/Puma/Rails-4.2. I don't know if this is specific to using Puma, but seems like the same problem could exist with other servers (unicorn, passenger, etc.)

I don't know if this behavior change is an error or intended.

I can confirm @tpbowden's solution worked for me as well. In my nginx configuration, I setup the app to proxy to puma listening on a unix socket. Here are the relevant parts of the configuration.

upstream myapp {
  server              unix:///path/to/puma.sock;
}
...
location / {
  proxy_pass        http://myapp;
  proxy_set_header  Host $host;
  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header  X-Forwarded-Proto $scheme;
  proxy_set_header  X-Forwarded-Ssl on; # Optional
  proxy_set_header  X-Forwarded-Port $server_port;
  proxy_set_header  X-Forwarded-Host $host;
}

@tpbowden
Copy link
Author

The issue isn't related to Puma and would happen to any web server running behind a reverse proxy which isn't passing the correct headers through. The way I managed to figure out how this issue was being caused was by following the error down the stack trace.

The root of the issue is the code in request.origin == request.base_url, which compares the Origin header's value against the base_url which is build up by a Rack::Response. There are 3 parts to this value, the scheme, the host and the port. All three of these are calculated based on a series of headers which not present by default when using a reverse proxy.

You can follow the source for Rack::Request#base_url here and it will become clear by looking in your web logs which headers are missing.

@tpbowden
Copy link
Author

I've just done a bit more research and it is definitely the intended behaviour. It can be disabled in your app config using config.action_controller.forgery_protection_origin_check = false. It is enabled by default however.

@jonnyparris
Copy link

@tpbowden Did you find a solution that doesn't disable forgery protection in the end? I think I'm facing the same problem and really struggling to make 'clean' progress.

@tpbowden
Copy link
Author

Yes the problem was not passing enough headers through my reverse proxy (nginx) for Rails/Rack to determine whether the request was originally made using https or not (since it was already decrypted by the time it hit Rails)

@jonnyparris
Copy link

ahh, so how did you find out what was missing...and how did you add the missing headers? Thanks so much for the quick reply!

@tpbowden
Copy link
Author

If you look at @afair's comment above he was referenced a correct Nginx config, you just need to add the x-forwarded headers related to ssl. I figured out which ones were missing by digging though the source code of Rack's request object to find out how it determine's the protocol of the request.

@jonnyparris
Copy link

Alas @afair's config doesn't work for me. Moreover, my logs have been annoyingly sparse since adding my Puma config (but that's another story.)
Thanks anyway, I'll think on it.

@jonnyparris
Copy link

I narrowed my issue down to nginx not playing well with 2 virtual hosts running at the same time. I'm trying to run a staging VPS and a production VPS using jwilder's nginx-proxy.
Everything works fine using the standard generated conf file when only staging OR production is running. However I run into the ActionController::InvalidAuthenticityToken errors on form submissions when both are running at once.
I haven't solved it yet, but thought I'd leave this here in case anyone else follows a similar trail of blunders.

@straight-shoota
Copy link

Thanks @tpbowden and @afair I was desperatly trying to make any sense of this oddly failing CSRF protection... then I found this issue 👍

@tripitakit
Copy link

Many thanks @tpbowden and @afair, you've made my day!

@rebase-master
Copy link

rebase-master commented Mar 29, 2017
edited
Loading

@afair You, Sir, have saved a lot of my time. Thank you.

@marisveide
Copy link

Thanks @tpbowden! You made my day!
This helped! Yeah! ;)

@manno manno mentioned this issue Aug 3, 2017
Closed
@stefatkins
Copy link

Thanks so much :
I was missing this line :
proxy_set_header X-Forwarded-Proto $scheme;

@1c7
Copy link

1c7 commented Oct 5, 2017

@afair fixed my problem! thank you!

@nunosilva800
Copy link
Contributor

My problem was similar, using heroku and cloudflare, solution was:

Make sure you have working SSL and HTTPS on Heroku (or wherever you're serving your Rails application.) Turn Cloudflare SSL to Full mode. Problem solved.

from: http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf

@nicobobb
Copy link

@Onumis Thank so much! I turn Cloudflare SSL to Full mode and fixed the problem.

ngzm added a commit to long-live-net/france that referenced this issue Feb 10, 2018
@ngzm
Fix Rails 5 CSRF error
0b58fb0 
Add http header on nginx reverse proxy setting.
See also rails/rails#22965
ngzm added a commit to ngzm/g-link that referenced this issue Feb 10, 2018
@ngzm
Fix Rails 5 CSRF error
4dc90e4 
Add http header on nginx reverse proxy setting.
See also rails/rails#22965
@ngzm ngzm mentioned this issue Feb 10, 2018
Merged
@HLFH HLFH mentioned this issue Mar 19, 2018
Closed
@tpai tpai mentioned this issue Jun 6, 2018
Open
@spMohanty spMohanty mentioned this issue Jun 7, 2018
Closed
@dchandekstark
Copy link

For those using Apache, this worked for me:

RequestHeader set X-Forwarded-Proto "https"

@elimisteve elimisteve mentioned this issue Nov 28, 2018
Open
@ufukayyildiz ufukayyildiz mentioned this issue Dec 22, 2020
Closed
@ufukayyildiz
Copy link

I also ran into this issue. I'll describe it differently to help with future searches.

Submission of any form to Nginx proxying to a Puma unix socket running a Rails 5.0.0.beta1 app responds with:

Can't verify CSRF token authenticity

and throws:

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken)

even though the App's CSRF is set up correctly. The app works in development (puma or thin, without Nginx), and worked in Nginx/Puma/Rails-4.2. I don't know if this is specific to using Puma, but seems like the same problem could exist with other servers (unicorn, passenger, etc.)

I don't know if this behavior change is an error or intended.

I can confirm @tpbowden's solution worked for me as well. In my nginx configuration, I setup the app to proxy to puma listening on a unix socket. Here are the relevant parts of the configuration.

upstream myapp {
  server              unix:///path/to/puma.sock;
}
...
location / {
  proxy_pass        http://myapp;
  proxy_set_header  Host $host;
  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header  X-Forwarded-Proto $scheme;
  proxy_set_header  X-Forwarded-Ssl on; # Optional
  proxy_set_header  X-Forwarded-Port $server_port;
  proxy_set_header  X-Forwarded-Host $host;
}

Thank you so much. Worked for me too.

@rbclark rbclark mentioned this issue Feb 12, 2021
Closed
@kemenaran kemenaran mentioned this issue Apr 15, 2021
Closed
domhnall pushed a commit to domhnall/renupharm that referenced this issue Apr 26, 2021
@domhnallmurphy-examtime
Updating nginx config to ensure authenticity token is accepted
f5febdb 
See rails/rails#22965
@fguillen
Copy link

Thanks so much :
I was missing this line :
proxy_set_header X-Forwarded-Proto $scheme;

Also works without the socket thing:

upstream rails_app {
  server app:3000;
}

...
server {
  ...
  location @rails {
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://rails_app;
  }
}

@Furqanameen
Copy link

Thank you so much buddy it's worked for me.
location @rails { proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://rails_app; }

@paul-e-allen paul-e-allen mentioned this issue Jun 11, 2021
Open
evazion added a commit to danbooru/danbooru-infrastructure that referenced this issue Sep 14, 2021
@evazion
k8s: fix CSRF token authenticity error in Rails.
3e8e3c4 
Fix issue described in [1]. We were incorrectly overriding the
X-Forwarded-Proto header from the ingress, which caused CSRF token
validation in Rails to fail.

1: rails/rails#22965.
@radamson radamson mentioned this issue Sep 17, 2021
Merged
fguillen added a commit to fguillen/RailsSkeleton that referenced this issue Sep 30, 2021
@fguillen
Fixed issue 'Request origin does not match request base_url' from rai…
7f6e4cc 
…ls/rails#22965
@rahul100885 rahul100885 mentioned this issue Oct 26, 2021
Closed
@omohokcoj omohokcoj mentioned this issue Nov 17, 2021
Closed
despo added a commit to deltacy/istos.cy that referenced this issue Mar 20, 2022
@despo
Set correct headers for incoming SSL request
ef7f708 
See rails/rails#22965
@despo despo mentioned this issue Mar 20, 2022
Merged
despo added a commit to deltacy/istos.cy that referenced this issue Mar 20, 2022
@despo
Set correct headers for incoming SSL request
7125c97 
See rails/rails#22965
@doughtyorg
Copy link

My problem was similar, using heroku and cloudflare, solution was:

Make sure you have working SSL and HTTPS on Heroku (or wherever you're serving your Rails application.) Turn Cloudflare SSL to Full mode. Problem solved.

from: http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf

Thank you, I love you :)

@Kledal
Copy link

Kledal commented Aug 21, 2022

If you are using Dokku and facing this problem, check out this awesome guide https://okhlopkov.com/cloudflare-certificates-dokku/

@blackstorm blackstorm mentioned this issue Jan 10, 2023
Open
@albancrommer albancrommer mentioned this issue Mar 21, 2023
Closed
@tomharvey tomharvey mentioned this issue May 4, 2023
Closed
@kwhandy kwhandy mentioned this issue Sep 3, 2023
Open
@hiveer
Copy link

hiveer commented Oct 22, 2023

I'm using Aliyun load balance which is called SLB for my two other application servers. My application servers started at port 3000 and the application server didn't set up ssl.

When the user access my website by https, SLB redirect the request to application server with http. So now we have the issue:
the origin is https, but the request base url is http

The solution for this is to make sure when SLB redirect request to application server we should provided the proxy header: X-Forwarded-Proto

I think the header missing is the root cause for this case.

@Aspiricity Aspiricity mentioned this issue Oct 30, 2023
Closed
@pglombardo pglombardo mentioned this issue Nov 6, 2023
Closed
@tanmoysrt tanmoysrt mentioned this issue Dec 5, 2023
Merged
@krishnadiamesso
Copy link

My problem was similar, using heroku and cloudflare, solution was:

Make sure you have working SSL and HTTPS on Heroku (or wherever you're serving your Rails application.) Turn Cloudflare SSL to Full mode. Problem solved.

from: http://til.obiefernandez.com/posts/875a2a69af-cloudflare-flexible-ssl-mode-breaks-rails-5-csrf

Thank you. this solved the issue for me as well 🙏

@chadlwilson chadlwilson mentioned this issue Jan 31, 2024
Closed
@Floppy Floppy mentioned this issue May 12, 2024
Closed
@SamuelvLopes
Copy link

usando o proxy reverso do apache é adicionar

RequestHeader set X-Forwarded-Proto "https"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionpack routing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests