Hi everyone.
I am trying to use mod_crsf on a Docker instance based on Alpine linux.
Apache seems to be working, with the following modules enabled (among other):
parp_module (shared)
csrf_module (shared)
setenvifplus_module (shared)
Now, whenever I try to browse to the docker instance, I can see that the browser sends, in the POST call, the following field:
csrfpId:QFgcPyeFS5pLm0OF4eLpaf45cOgWczb8Nc8f8sGr6tg=
which, if I am not mistaken, means that the javascript is being loaded correctly.
The problem I get is that the page I am browsing to gives a 403 error, and this is what appears in the apache logs: [Fri Feb 19 11:50:16.612989 2016][:error][pid 10][client 172.19.0.3:60822] mod_csrf(021): request denied, -, action=deny, id=-, referer: http://blah/
Now my question is, I am not too sure what is wrong, but what I can see from the apache logs is that id has no value. Should it be like that? Is there anything else I can check?
Thanks in advance!
Fabrizio
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Fabrizio
mod_csrf(021): is the referer header check which failes.
"id" would be UNIQUE_ID (set by mod_unique_id if loaded) used to correlate ErrorLog with TransferLog messages.
Regards, Pascal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi everyone.
I am trying to use mod_crsf on a Docker instance based on Alpine linux.
Apache seems to be working, with the following modules enabled (among other):
parp_module (shared)
csrf_module (shared)
setenvifplus_module (shared)
http.conf contains the following config lines:
LoadModule parp_module modules/mod_parp.so
LoadModule csrf_module modules/mod_csrf.so
LoadModule setenvifplus_module modules/mod_setenvifplus.so
CSRF_Enable 'on'
CSRF_EnableReferer 'on'
CSRF_Action 'deny'
CSRF_ScriptPath /js/csrf.js
Now, whenever I try to browse to the docker instance, I can see that the browser sends, in the POST call, the following field:
csrfpId:QFgcPyeFS5pLm0OF4eLpaf45cOgWczb8Nc8f8sGr6tg=
which, if I am not mistaken, means that the javascript is being loaded correctly.
The problem I get is that the page I am browsing to gives a 403 error, and this is what appears in the apache logs:
[Fri Feb 19 11:50:16.612989 2016] [:error] [pid 10] [client 172.19.0.3:60822] mod_csrf(021): request denied, -, action=deny, id=-, referer: http://blah/
Now my question is, I am not too sure what is wrong, but what I can see from the apache logs is that id has no value. Should it be like that? Is there anything else I can check?
Thanks in advance!
Fabrizio
Hi Fabrizio
mod_csrf(021): is the referer header check which failes.
"id" would be UNIQUE_ID (set by mod_unique_id if loaded) used to correlate ErrorLog with TransferLog messages.
Regards, Pascal