Incorrect origin error 404

stonebreaker · November 20, 2018, 7:26am

Site was up and working normally, then after a password reset and entering a new password, I see a 404 page:

Request made from incorrect origin. Expected ‘htp://info.blog.mydomain.com’ received ‘’.

nginx error log shows:
2018/11/20 07:10:11 [error] 31818#31818: *26 connect() failed (111: Connection refused) while connecting to upstream, client: 113.113.203.212, server: info.blog.mydomain.com, request: “GET /favicon.ico HTTP/1.1”, upstream: “htp://127.0.0.1:2368/favicon.ico”, host: “info.blog.mydomain.com”, referrer: “”

nginx access log shows:
113.113.203.212 - - [20/Nov/2018:07:10:10 +0000] “GET /ghost/ HTTP/1.1” 502 584 “” “Mozilla/4.0 (compatible; MSIE 999.1; Unknown)”

ghost log shows:

level: normal

empty
empty
ERROR DETAILS:
empty

BadRequestError: Request made from incorrect origin. Expected ‘htp://info.blog.nopsema.gov.au’ received ‘’.
at new BadRequestError (/var/www/ghost/versions/2.6.0/node_modules/ghost-ignition/lib/errors/index.js:94:23)
at cookieCsrfProtection (/var/www/ghost/versions/2.6.0/core/server/services/auth/session/middleware.js:112:21)
at Layer.handle [as handle_request] (/var/www/ghost/versions/2.6.0/node_modules/express/lib/router/layer.js:95:5)
at next (/var/www/ghost/versions/2.6.0/node_modules/express/lib/router/route.js:137:13)
at /var/www/ghost/versions/2.6.0/node_modules/express-session/index.js:489:7
at Child.SessionModel.findOne.then (/var/www/ghost/versions/2.6.0/core/server/services/auth/session/store.js:26:17)
at Child.tryCatcher (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/util.js:16:23)
at Promise._settlePromiseFromHandler (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:512:31)
at Promise._settlePromise (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:569:18)
at Promise._settlePromise0 (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:614:10)
at Promise._settlePromises (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/promise.js:694:18)
at _drainQueueStep (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:138:12)
at _drainQueue (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:131:9)
at Async._drainQueues (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:147:5)
at Immediate.Async.drainQueues [as _onImmediate] (/var/www/ghost/versions/2.6.0/node_modules/bluebird/js/release/async.js:17:14)
at runCallback (timers.js:810:20)

Looks like nginx is not passing an origin parameter through to ghost. The nginx site conf is:

server {
listen 80;
listen [::]:80;

server_name info.blog.nopsema.gov.au;
root /var/www/ghost/system/nginx-root;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:2368;

}

location ~ /.well-known {
    allow all;
}

client_max_body_size 50m;

}
~

Any clues?

egg · November 20, 2018, 7:41am

Hey o/

Do you see the Origin or Referer header being sent by the browser for this request? Nginx logs look like the Referer header is blank

stonebreaker · November 20, 2018, 7:47am

Crucial detail I omitted - auth working fine on the public interweb, only fails on our corporate devices/network.

HOST is set, but I notice Chrome is saying:
Referrer Policy: no-referrer-when-downgrade

That’s a corporate policy which will be difficult to change. What’s my chances of a work-around?

stonebreaker · November 20, 2018, 8:01am

Tried setting ```
add_header ‘Referrer-Policy’ ‘origin’;

in nginx conf file.  No dice.

egg · November 20, 2018, 8:06am

This only affects the Referer header if you get redirected from https → http, it’s also the default policy AFAIK so that shouldn’t cause an issue.

Are you being redirected from a https to http url?

stonebreaker · November 20, 2018, 8:53am

I’ve set up SSL and that has done the trick.

Now to redirect HTTP and we’re home in time for tea.

Important: This message and any attachments is intended for the use of the addressee only and may contain confidential, sensitive personal or legally privileged information. If you are not the intended recipient you must not read, disseminate or retain the message or any part of it, and inform the sender immediately. NOPSEMA does not guarantee that this message is secure, error-free or free of viruses or other undesirable inclusions.

Please consider the environment before printing this email

egg · November 21, 2018, 6:02am

Nice! Glad you got it sorted

system · December 5, 2018, 6:02am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ERR_TOO_MANY_REDIRECTS but only god knows why Installation	9	912	September 21, 2022
Error 521 but working through IP Developer help	3	1056	June 24, 2019
Connection refused upstream Installation	1	1028	February 11, 2021
Successful Installation leads to nginx default page Developer help	2	807	October 27, 2019
404 after updating from 1.24.6 to 1.25.5 (prior 2.0) Installation	4	740	October 11, 2018

Incorrect origin error 404

Related Topics