New TYPO3 v10.4.8 installation on Azure Cloud. Setup:
Right after the installation process, when I log-in to the TYPO3 backend (https://mydomain.to/typo3), I get the following error message:
Oops, an error occurred!
Invalid referrer for/main
The log file shows the following entry:
Sun, 13 Sep 2020 10:03:48 +0000 [CRITICAL] request="025e24a027590"
component="TYPO3.CMS.Core.Error.ProductionExceptionHandler": Core: Exception
handler (WEB): Uncaught TYPO3 Exception: #1588095936: Invalid referrer for /main
TYPO3\CMS\Core\Http\Security\InvalidReferrerException thrown in file
/var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/core/Classes/Http/Security/
ReferrerEnforcer.php in line 104.
Requested URL: http://mydomain.to/typo3/index.php?route=%2Fmain&token=
--AnonymizedToken--&referrer-refresh=1599991429 - {"TYPO3_MODE":"BE","exception":
"TYPO3\\CMS\\Core\\Http\\Security\\InvalidReferrerException: Invalid referrer for
/main in /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/core/Classes/Http/Security/ReferrerEnforcer.php:104\nStack trace:\n#0 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/backend/Classes/Http/
RouteDispatcher.php(104): TYPO3\\CMS\\Core\\Http\\Security\\ReferrerEnforcer->
handle(Array)\n
#1 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/backend/Classes/Http/RouteDispatcher.php(52): TYPO3\\CMS\\Backend\\Http\\RouteDispatcher->enforceReferrer(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest))\n
#2 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/backend/Classes/Http/RequestHandler.php(94): TYPO3\\CMS\\Backend\\Http\\RouteDispatcher->dispatch(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest))\n
#3 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/extbase/Classes/Middleware/SignalSlotDeprecator.php(49): TYPO3\\CMS\\Backend\\Http\\RequestHandler->handle(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest))\n
#4 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/core/Classes/Http/MiddlewareDispatcher.php(172): TYPO3\\CMS\\Extbase\\Middleware\\SignalSlotDeprecator->process(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest), Object(TYPO3\\CMS\\Backend\\Http\\RequestHandler))\n
#5 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/backend/Classes/Middleware/SiteResolver.php(69): class@anonymous->handle(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest))\n
#6 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/core/Classes/Http/MiddlewareDispatcher.php(172): TYPO3\\CMS\\Backend\\Middleware\\SiteResolver->process(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest), Object(class@anonymous))\n
#7 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/backend/Classes/Middleware/AdditionalResponseHeaders.php(41): class@anonymous->handle(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest))\n
#8 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/core/Classes/Http/MiddlewareDispatcher.php(172): TYPO3\\CMS\\Backend\\Middleware\\AdditionalResponseHeaders->process(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest), Object(class@anonymous))\n
#9 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/backend/Classes/Middleware/OutputCompression.php(47): class@anonymous->handle(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest))\n
#10 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/core/Classes/Http/MiddlewareDispatcher.php(172): TYPO3\\CMS\\Backend\\Middleware\\OutputCompression->process(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest), Object(class@anonymous))\n
#11 /var/www/typo3_sources/typo3_src-10.4.8/typo3/sysext/backend/Classes/Middleware/BackendUserAuthenticator.php(78): class@anonymous->handle(Object(TYPO3\\CMS\\Core\\Http\\ServerRequest))\n
[...]
The request arrives as HTTP at the server. I'd expect HTTPS. Could this be the problem?
I assume that if Cloudflare does the SSL termination you might need to configure TYPO3 with reverse proxy settings. See [SYS][reverseProxy*] in the install tool. This bug report has more details.
Another thing you can check: with TYPO3 10.4.2 a Same-Origin Request Forgery protection was introduced. Some proxy servers might remove the HTTP Referer header which would make it necessary to deactivate this protection mechanism. This can be done by setting $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.backend.enforceReferrer'] = false either using Install Tool's feature toggles or according deployment techniques. See the Security Bulletin TYPO3-CORE-SA-2020-006 for details.