Invalid CSRF token provided

Icinga Web
1

Hello Icinga-Community,

after upgrading our icinga environment from Icinga IDO to Icinga DB we have an unusual error when executing some steps within Icinga Web. The error doesn´t appear after every button or task, only in some scenarios. I also updated all modules and other icinga related software on the system.

First example:

  1. Go to director and search for a host and go to it
  2. Click on “delete”
  3. Error appears: Invalid CSRF token provided
    The strange thing is, that deleting a other host worked.

Second example:

  1. Go to Icinga Director Activity Log
  2. Click Deploy pending changes
  3. Error appears: Invalid CSRF token provided

Third example:

  1. Go to Overview and search for a specific host
  2. Set downtime and fill in the needed information
  3. Error:

Invalid CSRF token provided

#0 [internal function]: Icinga\Module\Icingadb\Forms\Command\CommandForm->ipl\Web\Common{closure}() #1 /usr/share/icinga-php/ipl/vendor/ipl/validator/src/CallbackValidator.php(43): call_user_func() #2 /usr/share/icinga-php/ipl/vendor/ipl/validator/src/ValidatorChain.php(269): ipl\Validator\CallbackValidator->isValid() #3 /usr/share/icinga-php/ipl/vendor/ipl/html/src/FormElement/BaseFormElement.php(273): ipl\Validator\ValidatorChain->isValid() #4 /usr/share/icinga-php/ipl/vendor/ipl/html/src/Form.php(322): ipl\Html\FormElement\BaseFormElement->validate() #5 /usr/share/icinga-php/ipl/vendor/ipl/html/src/Form.php(303): ipl\Html\Form->validate() #6 /usr/share/icinga-php/ipl/vendor/ipl/html/src/Form.php(235): ipl\Html\Form->isValid() #7 /usr/share/icingaweb2/modules/icingadb/library/Icingadb/Common/CommandActions.php(195): ipl\Html\Form->handleRequest() #8 /usr/share/icingaweb2/modules/icingadb/library/Icingadb/Common/CommandActions.php(162): Icinga\Module\Icingadb\Controllers\HostController->handleWebRequest() #9 /usr/share/icingaweb2/modules/icingadb/library/Icingadb/Common/CommandActions.php(283): Icinga\Module\Icingadb\Controllers\HostController->handleCommandForm() #10 /usr/share/icingaweb2/modules/icingadb/library/Icingadb/Web/Controller.php(468): Icinga\Module\Icingadb\Controllers\HostController->scheduleDowntimeAction() #11 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Icinga\Module\Icingadb\Web\Controller->dispatch() #12 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Front.php(954): Icinga\Web\Controller\Dispatcher->dispatch() #13 /usr/share/php/Icinga/Application/Web.php(294): Zend_Controller_Front->dispatch() #14 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch() #15 /usr/share/icingaweb2/public/index.php(4): require_once(String) #16 {main}

Also in this case is really weird, that other hosts can be deleted as normal or if we search with the global search bar not within the Overview tab for the same host sometimes it works. So sometimes it works with special steps and sometimes not.

  • Icinga Web 2 version
  • 2.12.2
  • Used modules and their versions (System - About)

|businessprocess||2.5.1||
|director||1.11.2||
|fileshipper||1.2.0||
|generictts||2.1.0||
|grafana||2.0.3||
|icingadb||1.1.3||
|idoreports||0.10.1||
|incubator||0.22.0||
|pdfexport||0.11.0||
|reporting||1.0.2||
|setup||2.12.2||
|toplevelview||0.4.0||

  • Web browser used
    Google Chrome
  • Icinga 2 version used (icinga2 --version)
    r2.14.3-1
  • PHP version used (php --version)
    PHP 8.3.14
  • Server operating system and version
  • Red Hat Enterprise Linux release 8.10
2

Looks like this: Invalid CSRF token provided : Import source modifiers form · Issue #2935 · Icinga/icingaweb2-module-director · GitHub

There are no database migrations for 1.11.2 so you can go back to 1.11.1.

3

Hi,
thank you very much for the hint and the information. Unfortunately going back with the Icinga director didn´t solve our problems. We also get the same error as described above when setting a downtime in a specific way, so I think the error must be somewhere else deeper and it´s not just the director module. I guess the cause of the error must be somewhere within icinga web, the webserver or PHP.

I did some more testing and it´s really weird. I did for example the following steps 10 times one after the other and 5 times it doesn´t result in an error and 5 times it results in an error, so it´s just luck:

  1. Go to a specific host in icinga web (not director)
  2. Click on Downtime and just fill in the comment “test”

And if we are not lucky enough the following error appears:

image
image779×635 42 KB

4

I did some more testing and found out, if I disable the icingadb module and enable the old monitoring module again, everything within the director works as normal

6

I actually found after several hours the cause of our problems.
We did some changes to the “icingaweb2.conf” in the Apache webserver directory to get SSO running for our Icinga Server. For some reason (I guess security improvements) this config was not running really well with IcingaDB and resulted sometimes in these CSRF errors.
I changed the RequireAny configuration from this:

        <RequireAny>

            # Bypass Kerberos for any REST-API request
            Require expr %{HTTP_ACCEPT} == "application/json"

  # Bypass Kerberos for the API-key based Director Self Service API
           Require expr %{REQUEST_URI} =~ m#^/icingaweb2/director/self-service/.*#


           # All other Requests need to be authorized
            Require valid-user

</RequireAny>

to this:

<RequireAny>

            <RequireAll>
            # Bypass Kerberos for any REST-API request
            Require expr %{HTTP_ACCEPT} == "application/json"

            # Bypass Kerberos for the API-key based Director Self Service API
            Require expr %{THE_REQUEST} =~ m#.*?\s+\/icingaweb2/director.*?#
            </RequireAll>
   

           # All other Requests need to be authorized
            Require valid-user


     </RequireAny>