xsoar initial admin login fails - websockets error and CSRF token match problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

xsoar initial admin login fails - websockets error and CSRF token match problem

L1 Bithead

I installed xsoar 6.6 according to the instructions and am using nginx as a front-end.  I also configured nginx according to the instructions, but I am connecting to xsoar from nginx via http and port 8080 (as opposed to https/443 as used in the example nginx config).

I created the otc.conf.json file with the initial admin user and restarted the server, but I cannot login.

In the Chrome console, I see this when I open the xsoar page:

light-bundle-1647266668075.js?v=1647266668075:38 WebSocket connection to 'wss://xsoar.example.com/websocket' failed:
Oe @ light-bundle-1647266668075.js?v=1647266668075:38
(anonymous) @ light-bundle-1647266668075.js?v=1647266668075:315
n @ light-bundle-1647266668075.js?v=1647266668075:1
(anonymous) @ light-bundle-1647266668075.js?v=1647266668075:1
(anonymous) @ light-bundle-1647266668075.js?v=1647266668075:1

In the xsoar server.log file, I see these each time I try to login:

2022-09-29 05:51:37.4687 error CSRF values not match (source: /builds/GOPATH/src/code.pan.run/xsoar/server/web/middleware.go:447)

I have no idea what the problem is.

Does anyone have a clue?

Brian Hill
BCH Technical Services, LLC
1 accepted solution

Accepted Solutions

L1 Bithead

I figured this out.

If you want to connect to xsoar via http via nginx as a https-terminated reverse proxy, you need to add this line to the first location directive:

proxy_cookie_path / "/; secure";

In the context of a nginx server{} section:

 

map $http_upgrade $connection_upgrade {
	default upgrade;
	''	close;
}

server {
	listen [::]:443 ssl http2;
	listen 443 ssl http2;
	server_name xsoar.example.com;

	ssl_certificate		/etc/ssl/certs/example.com.cert.pem;
	ssl_certificate_key	/etc/ssl/certs/example.com.key.pem;

	ssl_session_cache	builtin:1000	shared:SSL:10m;

	access_log	/var/log/nginx/demisto.access.log;

	location / {
		proxy_set_header	Host $host;
		proxy_set_header	X-Real-IP $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto $scheme;
		proxy_pass		http://localhost:8080;
		proxy_read_timeout	90;
		proxy_cookie_path	/	"/; secure";
	}

	location ~ ^/(acc_\S+/)?(websocket|d1ws|d2ws) {
		proxy_pass		http://localhost:8080;
		proxy_http_version	1.1;
		proxy_set_header	Upgrade $http_upgrade;
		proxy_set_header	Connection "upgrade";
		proxy_set_header	Host $host;
		proxy_set_header	Origin "";
		proxy_set_header	X-Real-IP $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto $scheme;
	}
}

1. The certificate example is a wildcard cert for *.example.com.

2. The ssl config is handled in the http{} section which is not included here.

3. This assumes xsoar is listening on http port 80.

4. ipv6 and http v2 are also included above.

5. Remember to reload nginx.

 

The /etc/demisto.conf:

{
	"Server": {
		"HttpPort": "8080"
	},
	"container": {
		"engine": {
			"type": "docker"
		}
	},
	"custom": {
		"fields": {
			"validate": {
				"grid": {
					"values": true
				}
			}
		}
	},
	"db": {
		"index": {
			"entry": {
				"disable": true
			}
		}
	}
}

1. Remember to reload demisto.

Brian Hill
BCH Technical Services, LLC

View solution in original post

3 REPLIES 3

Community Team Member

Hi @bchill ,

 

In order to get better traction for this I'm moving this discussion to the Cortex XSOAR area.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Update:

The websockets error also comes up when I set up xsoar directly on 443 (i.e. w/o nginx, etc), but logins do work as expected. The CSRF match errors do not show up in the server.log, however. That means that the websockets error is benign and not related. This is clearly about the CSRF matching.

Brian Hill
BCH Technical Services, LLC

L1 Bithead

I figured this out.

If you want to connect to xsoar via http via nginx as a https-terminated reverse proxy, you need to add this line to the first location directive:

proxy_cookie_path / "/; secure";

In the context of a nginx server{} section:

 

map $http_upgrade $connection_upgrade {
	default upgrade;
	''	close;
}

server {
	listen [::]:443 ssl http2;
	listen 443 ssl http2;
	server_name xsoar.example.com;

	ssl_certificate		/etc/ssl/certs/example.com.cert.pem;
	ssl_certificate_key	/etc/ssl/certs/example.com.key.pem;

	ssl_session_cache	builtin:1000	shared:SSL:10m;

	access_log	/var/log/nginx/demisto.access.log;

	location / {
		proxy_set_header	Host $host;
		proxy_set_header	X-Real-IP $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto $scheme;
		proxy_pass		http://localhost:8080;
		proxy_read_timeout	90;
		proxy_cookie_path	/	"/; secure";
	}

	location ~ ^/(acc_\S+/)?(websocket|d1ws|d2ws) {
		proxy_pass		http://localhost:8080;
		proxy_http_version	1.1;
		proxy_set_header	Upgrade $http_upgrade;
		proxy_set_header	Connection "upgrade";
		proxy_set_header	Host $host;
		proxy_set_header	Origin "";
		proxy_set_header	X-Real-IP $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header	X-Forwarded-Proto $scheme;
	}
}

1. The certificate example is a wildcard cert for *.example.com.

2. The ssl config is handled in the http{} section which is not included here.

3. This assumes xsoar is listening on http port 80.

4. ipv6 and http v2 are also included above.

5. Remember to reload nginx.

 

The /etc/demisto.conf:

{
	"Server": {
		"HttpPort": "8080"
	},
	"container": {
		"engine": {
			"type": "docker"
		}
	},
	"custom": {
		"fields": {
			"validate": {
				"grid": {
					"values": true
				}
			}
		}
	},
	"db": {
		"index": {
			"entry": {
				"disable": true
			}
		}
	}
}

1. Remember to reload demisto.

Brian Hill
BCH Technical Services, LLC
  • 1 accepted solution
  • 3035 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!