topic Re: xsoar initial admin login fails - websockets error and CSRF token match problem in Cortex XSOAR Discussions

xsoar initial admin login fails - websockets error and CSRF token match problem

bchill — Thu, 29 Sep 2022 11:07:31 GMT

I installed xsoar 6.6 according to the instructions and am using nginx as a front-end. I also configured nginx according to the instructions, but I am connecting to xsoar from nginx via http and port 8080 (as opposed to https/443 as used in the example nginx config).

I created the otc.conf.json file with the initial admin user and restarted the server, but I cannot login.

In the Chrome console, I see this when I open the xsoar page:

light-bundle-1647266668075.js?v=1647266668075:38 WebSocket connection to 'wss://xsoar.example.com/websocket' failed:
Oe @ light-bundle-1647266668075.js?v=1647266668075:38
(anonymous) @ light-bundle-1647266668075.js?v=1647266668075:315
n @ light-bundle-1647266668075.js?v=1647266668075:1
(anonymous) @ light-bundle-1647266668075.js?v=1647266668075:1
(anonymous) @ light-bundle-1647266668075.js?v=1647266668075:1

In the xsoar server.log file, I see these each time I try to login:

2022-09-29 05:51:37.4687 error CSRF values not match (source: /builds/GOPATH/src/code.pan.run/xsoar/server/web/middleware.go:447)

I have no idea what the problem is.

Does anyone have a clue?

Re: xsoar initial admin login fails - websockets error and CSRF token match problem

kiwi — Wed, 05 Oct 2022 10:10:21 GMT

Hi @bchill ,

In order to get better traction for this I'm moving this discussion to the Cortex XSOAR area.

Cheers,

-Kiwi.

Re: xsoar initial admin login fails - websockets error and CSRF token match problem

bchill — Wed, 19 Oct 2022 19:35:55 GMT

Update:

The websockets error also comes up when I set up xsoar directly on 443 (i.e. w/o nginx, etc), but logins do work as expected. The CSRF match errors do not show up in the server.log, however. That means that the websockets error is benign and not related. This is clearly about the CSRF matching.

Re: xsoar initial admin login fails - websockets error and CSRF token match problem

bchill — Tue, 17 Jan 2023 23:42:16 GMT

I figured this out.

If you want to connect to xsoar via http via nginx as a https-terminated reverse proxy, you need to add this line to the first location directive:

proxy_cookie_path / "/; secure";

In the context of a nginx server{} section:

map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name xsoar.example.com; ssl_certificate /etc/ssl/certs/example.com.cert.pem; ssl_certificate_key /etc/ssl/certs/example.com.key.pem; ssl_session_cache builtin:1000 shared:SSL:10m; access_log /var/log/nginx/demisto.access.log; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://localhost:8080; proxy_read_timeout 90; proxy_cookie_path / "/; secure"; } location ~ ^/(acc_\S+/)?(websocket|d1ws|d2ws) { proxy_pass http://localhost:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header Origin ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }

1. The certificate example is a wildcard cert for *.example.com.

2. The ssl config is handled in the http{} section which is not included here.

3. This assumes xsoar is listening on http port 80.

4. ipv6 and http v2 are also included above.

5. Remember to reload nginx.

The /etc/demisto.conf:

{ "Server": { "HttpPort": "8080" }, "container": { "engine": { "type": "docker" } }, "custom": { "fields": { "validate": { "grid": { "values": true } } } }, "db": { "index": { "entry": { "disable": true } } } }

1. Remember to reload demisto.