Nonce check fail using reverse proxy
I setup a server on a non standard port that is receiving requests from a reverse proxy. This setting is causing the bhp nonce check fail.
This is function bbp_verify_nonce_request in bbp-common-functions.php
I’m not a PHP Programmer but it looks like this is caused by
if ( empty( $result ) || empty( $action ) || ( strpos( $requested_url, $home_url ) !== 0 )
Here the system tries to compare request_url and home url, however this is not identical in a reverse proxy setting, because the request is going to the internal server, while the home_url contains the url of the external web server.
Does this make sense?
To verify the theory I just removed the comparison of the URL’s like this:
if ( empty( $result ) || empty( $action ) )
Now it works, but I hope that I did not open a security issue.
Can I kindly ask for advice on how to better set the system to avoid the issue?
- You must be logged in to reply to this topic.