|
|
Please share an anonymized version of your sogo.conf file. SOGoXSRFValidationEnabled is supported for internal authentication (LDAP and SQL). |
|
|
|
|
|
|
|
Anonymised version of sogo.conf
{
/* ***** Main SOGo configuration file **
- *
- Since the content of this file is a dictionary in OpenStep plist format, *
- the curly braces enclosing the body of the configuration are mandatory. *
- See the Installation Guide for details on the format. *
- *
- C and C++ style comments are supported. *
- *
- This example configuration contains only a subset of all available *
- configuration parameters. Please see the installation guide more details. *
- *
- ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file, *
- make sure to move it away to avoid unwanted parameter overrides. *
- *
-
**/
/ Database configuration (mysql://, postgresql:// or oracle://) /
SOGoProfileURL = "mysql://adminsql:XXXXXX@sogodb:3306/sogo/sogo_user_profile";
OCSFolderInfoURL = "mysql://adminsql:XXXXXX@sogodb:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL = "mysql://adminsql:XXXXXX@sogodb:3306/sogo/sogo_sessions_folder";
MySQL4Encoding = "utf8mb4";
/ Mail /
SOGoDraftsFolderName = Drafts;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoJunkFolderName = Spam;
SOGoIMAPServer = "imaps://imap.example.com:993";
SOGoSMTPServer = "smtp.example.com";
SOGoMailDomain = example.com;
SOGoMailingMechanism = smtp;
/ Notifications /
SOGoAppointmentSendEMailNotifications = YES;
SOGoACLsSendEMailNotifications = NO;
SOGoFoldersSendEMailNotifications = NO;
/ Public sharing of calendar and address book /
SOGoEnablePublicAccess = NO;
/ Authentication /
SOGoPasswordChangeEnabled = NO;
/ LDAP authentication /
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
IDFieldName = uid; // first field of the DN for direct binds
UIDFieldName = uid;
bindFields = (uid, mail); // array of fields to use for indirect binds
baseDN = "ou=People,dc=example,dc=com";
bindDN = "cn=sogo,dc=example,dc=com";
bindPassword = "XXXXXXXXXXX";
bindAsCurrentUser = NO;
canAuthenticate = YES;
filter = "(mail='*')";
displayName = "Example Addresses";
hostname = "ldaps://ldap1.example.com";
id = directory;
isAddressBook = YES;
}
);
/ Web Interface /
SOGoPageTitle = "Example Webmail";
SOGoVacationEnabled = NO;
SOGoForwardEnabled = NO;
SOGoSieveScriptsEnabled = NO;
//SOGoTrustProxyAuthentication = NO;
//SOGoXSRFValidationEnabled = YES;
/ General - SOGoTimeZone MUST be defined /
SOGoLanguage = English;
SOGoTimeZone = Europe/Paris;
SOGoCalendarDefaultRoles = (
PublicDAndTViewer,
ConfidentialDAndTViewer
);
//SxVMemLimit = 384;
WOPidFile = "/var/run/sogo/sogo.pid";
SOGoMemcachedHost = "/var/run/memcached/memcached.sock";
SOGoMaximumFailedLoginCount = 5;
SOGoMaximumFailedLoginInterval = 10; // seconds
SOGoFailedLoginBlockInterval = 300; // seconds
SOGoCacheCleanupInterval = 300;
/ Debug /
//SOGoDebugRequests = YES;
SoDebugBaseURL = YES;
//ImapDebugEnabled = YES;
//LDAPDebugEnabled = YES;
//PGDebugEnabled = YES;
//MySQL4DebugEnabled = YES;
SOGoUIxDebugEnabled = YES;
//WODontZipResponse = YES;
WOLogFile = /var/log/sogo/sogo.log;
}
|
|
|
|
{
/* ********************* Main SOGo configuration file **********************
* *
* Since the content of this file is a dictionary in OpenStep plist format, *
* the curly braces enclosing the body of the configuration are mandatory. *
* See the Installation Guide for details on the format. *
* *
* C and C++ style comments are supported. *
* *
* This example configuration contains only a subset of all available *
* configuration parameters. Please see the installation guide more details. *
* *
* ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file, *
* make sure to move it away to avoid unwanted parameter overrides. *
* *
* **************************************************************************/
/* Database configuration (mysql://, postgresql:// or oracle://) */
SOGoProfileURL = "mysql://adminsql:XXXXXX@sogodb:3306/sogo/sogo_user_profile";
OCSFolderInfoURL = "mysql://adminsql:XXXXXX@sogodb:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL = "mysql://adminsql:XXXXXX@sogodb:3306/sogo/sogo_sessions_folder";
MySQL4Encoding = "utf8mb4";
/* Mail */
SOGoDraftsFolderName = Drafts;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoJunkFolderName = Spam;
SOGoIMAPServer = "imaps://imap.example.com:993";
SOGoSMTPServer = "smtp.example.com";
SOGoMailDomain = example.com;
SOGoMailingMechanism = smtp;
/* Notifications */
SOGoAppointmentSendEMailNotifications = YES;
SOGoACLsSendEMailNotifications = NO;
SOGoFoldersSendEMailNotifications = NO;
/* Public sharing of calendar and address book */
SOGoEnablePublicAccess = NO;
/* Authentication */
SOGoPasswordChangeEnabled = NO;
/* LDAP authentication */
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
IDFieldName = uid; // first field of the DN for direct binds
UIDFieldName = uid;
bindFields = (uid, mail); // array of fields to use for indirect binds
baseDN = "ou=People,dc=example,dc=com";
bindDN = "cn=sogo_ldap,dc=example,dc=com";
bindPassword = "XXXXXXXXXXX";
bindAsCurrentUser = NO;
canAuthenticate = YES;
filter = "(mail='*')";
displayName = "Example Addresses";
hostname = "ldaps://ldap1.example.com";
id = directory;
isAddressBook = YES;
}
);
/* Web Interface */
SOGoPageTitle = "Example Webmail";
SOGoVacationEnabled = NO;
SOGoForwardEnabled = NO;
SOGoSieveScriptsEnabled = NO;
//SOGoTrustProxyAuthentication = NO;
//SOGoXSRFValidationEnabled = YES;
/* General - SOGoTimeZone *MUST* be defined */
SOGoLanguage = English;
SOGoTimeZone = Europe/Paris;
SOGoCalendarDefaultRoles = (
PublicDAndTViewer,
ConfidentialDAndTViewer
);
WOPidFile = "/var/run/sogo/sogo.pid";
SOGoMemcachedHost = "/var/run/memcached/memcached.sock";
SOGoMaximumFailedLoginCount = 5;
SOGoMaximumFailedLoginInterval = 10; // seconds
SOGoFailedLoginBlockInterval = 300; // seconds
SOGoCacheCleanupInterval = 300;
/* Debug */
//SOGoDebugRequests = YES;
SoDebugBaseURL = YES;
//ImapDebugEnabled = YES;
//LDAPDebugEnabled = YES;
//PGDebugEnabled = YES;
//MySQL4DebugEnabled = YES;
SOGoUIxDebugEnabled = YES;
//WODontZipResponse = YES;
WOLogFile = /var/log/sogo/sogo.log;
}
|
|
francis
2021-06-21 15:03
administrator
~0015329
Last edited: 2021-06-21 15:04
|
It should work with this configuration. Try to empty your browser's cache, restart your Web server and memcached instance. |
|
|
|
I did it all before, including connecting from private browsing. I even rebooted the server before restoring.
Also, aside from memcached there are no caching servers associated with sogo.
Now that I have a test server handy, I will triple check though. However the 500 error is delivered from the local Apache which sends all to sogo daemon, so it looks like there is a issue bigger than cache at hand. |
|
|
|
I've re-run tests this morning, still reproducible 100% as soon as I enable XSRF and reload.
[code]
2021-06-22 09:32:31.472 sogod[3762:3762] <MySQL4Channel[0x0x560c94fd93b0] connection=0x0x560c94e201b0> query has results, entering fetch-mode.
Jun 22 09:32:31 sogod [3762]: |SOGo| request took 0.044940 seconds to execute
Jun 22 09:32:31 sogod [3762]: 192.168.100.54, 193.48.252.35 "GET /SOGo/so/test/Calendar/alarmslist?browserTime=1624347151 HTTP/1.1" 500 36/0 0.047 - - 0 - 13
Jun 22 09:32:31 sogod [3764]: |SOGo| request took 0.104119 seconds to execute
Jun 22 09:32:31 sogod [3764]: 192.168.100.54, 193.48.252.35 "GET /SOGo/so/test/Mail/0/view HTTP/1.1" 500 36/0 0.113 - - 3M - 13
Jun 22 09:32:31 sogod [3763]: |SOGo| request took 0.145917 seconds to execute
Jun 22 09:32:31 sogod [3763]: 192.168.100.54, 193.48.252.35 "POST /SOGo/so/test/Mail/0/folderINBOX/view HTTP/1.1" 500 36/126 0.150 - - 3M - 13
[/code]
With SOGoXSRFValidationEnabled set to 'NO', everything is back, no more HTTP error code 500. |
|
|
|
Is the XSRF-TOKEN cookie properly sent by the server?
Is the x-xsrf-token header properly sent by the browser? Can you sniff the HTTP traffic on port 20000 (sogod) to make sure the header reaches SOGo? |
|
|
|
|
|
|
|
|
|
|
|
Below is the packet capture from the Sogo server, as it receives the packets from the reverse proxy. |
|
|
|
|
|
|
|
How about the x-xsrf-token header sent by the client? I don't see it in your packet capture. |
|
|
|
Putting the solution here as well: if you have enabled httpOnly for your cookies on Apache, you need to disable it for XSRF to work and not break Sogo.
Typically, I had to comment out the following line in my Apache configuration :
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Reference: https://github.com/angular/angular/issues/20511#issuecomment-473740783 |
|
|
|
Then I do get the X-XSRF-TOKEN header. I hope this helps others facing the same issue. |
|
|
|
Indeed, the CSRF token cookie must not have httpOnly flag, as it is intended to be read by the JavaScript by design. |
|
