Incorrect origin error 404


#1

Site was up and working normally, then after a password reset and entering a new password, I see a 404 page:

Request made from incorrect origin. Expected ‘htp://info.blog.mydomain.com’ received ‘’.

nginx error log shows:
2018/11/20 07:10:11 [error] 31818#31818: *26 connect() failed (111: Connection refused) while connecting to upstream, client: 113.113.203.212, server: info.blog.mydomain.com, request: “GET /favicon.ico HTTP/1.1”, upstream: “htp://127.0.0.1:2368/favicon.ico”, host: “info.blog.mydomain.com”, referrer: “”

nginx access log shows:
113.113.203.212 - - [20/Nov/2018:07:10:10 +0000] “GET /ghost/ HTTP/1.1” 502 584 “” “Mozilla/4.0 (compatible; MSIE 999.1; Unknown)”

ghost log shows:

level: normal

empty
empty
ERROR DETAILS:
empty

BadRequestError: Request made from incorrect origin. Expected ‘htp://info.blog.nopsema.gov.au’ received ‘’.
at new BadRequestError (/var/www/ghost/versions/2.6.0/node_modules/ghost-ignition/lib/errors/index.js:94:23)
at cookieCsrfProtection (/var/www/ghost/versions/2.6.0/core/server/services/auth/session/middleware.js:112:21)
at Layer.handle [as handle_request] (/var/www/ghost/versions/2.6.0/node_modules/express/lib/router/layer.js:95:5)
at next (/var/www/ghost/versions/2.6.0/node_modules/express/lib/router/route.js:137:13)
at /var/www/ghost/versions/2.6.0/node_modules/express-session/index.js:489:7
at Child.SessionModel.findOne.then (/var/www/ghost/versions/2.6.0/core/server/services/auth/session/store.js:26:17)
at Child.tryCatcher (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:512:31)
at Promise._settlePromise (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:569:18)
at Promise._settlePromise0 (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:614:10)
at Promise._settlePromises (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:694:18)
at _drainQueueStep (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:138:12)
at _drainQueue (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:131:9)
at Async._drainQueues (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:147:5)
at Immediate.Async.drainQueues [as _onImmediate] (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:17:14)
at runCallback (timers.js:810:20)

Looks like nginx is not passing an origin parameter through to ghost. The nginx site conf is:

server {
listen 80;
listen [::]:80;

server_name info.blog.nopsema.gov.au;
root /var/www/ghost/system/nginx-root;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:2368;

}

location ~ /.well-known {
    allow all;
}

client_max_body_size 50m;

}
~

Any clues?


#2

Hey o/

Do you see the Origin or Referer header being sent by the browser for this request? Nginx logs look like the Referer header is blank :confused:


#3

Crucial detail I omitted - auth working fine on the public interweb, only fails on our corporate devices/network.

HOST is set, but I notice Chrome is saying:
Referrer Policy: no-referrer-when-downgrade

That’s a corporate policy which will be difficult to change. What’s my chances of a work-around?


#4

Tried setting ```
add_header ‘Referrer-Policy’ ‘origin’;

in nginx conf file.  No dice.

#5

This only affects the Referer header if you get redirected from https -> http, it’s also the default policy AFAIK so that shouldn’t cause an issue.

Are you being redirected from a https to http url?


#6

I’ve set up SSL and that has done the trick.

Now to redirect HTTP and we’re home in time for tea. :slight_smile:

Important: This message and any attachments is intended for the use of the addressee only and may contain confidential, sensitive personal or legally privileged information. If you are not the intended recipient you must not read, disseminate or retain the message or any part of it, and inform the sender immediately. NOPSEMA does not guarantee that this message is secure, error-free or free of viruses or other undesirable inclusions.

Please consider the environment before printing this email


#7

Nice! Glad you got it sorted :relaxed:


#8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.