CMS POST requests going through internet - blocked by AWS WAF

Hi folks,

I created my first presentation website for a small project in AWS, specifically I’ve used this guide to deploy October CMS in AWS via Elastic Beanstalk.

All is fine, I have a samll EC2 instance on which I have installed all my resources but I’ve encountered a small problem: in some cases, the request from the CMS to the website are blocked by the WAF because the request is going through the internet towards my website (https://example.com/backend).

Some things I want to add are containing HTML-embedded pictures, hence the AWS WAF thinks it’s dealing with a XSS (POST request).

Considering the CMS and the website are all hosted on the same machine, is it possible to make the CMS send the request to itself (some sort of localhost) directly, instead of making it use the internet?

Any help on this matter will be much appreciated!

Hey @johndls

I think you may need to be more specific here; in which cases are the requests going through the internet and getting blocked? Is it a server or client side request?

Hello,

If I log into the admin console and just add some text to my a page on my website, post it, it works fine.

But if I want to embed a picture or use a hyperlink for parts of my text, the request is blocked: in October CMS the result is “403 Forbidden” and in the WAF I see the XSS rule is triggered.

It looks like the request is coming from my browser, from my computer, towards the CMS via the internet.

My expectations were that once I log into the CMS, the POST request between the CMS app and the actual website would stay locally, on the server I just connected.

Thanks, that is clearer now.

October CMS has an online editor, so it will publish raw HTML contents and this can be mistaken for XSS. The only solution really is to relax the rule, or disable the editor module.

Got it - so that’s why it’s behaving like that.

In that case: do you have any idea if it would be possible to access the online editor “locally”, from the EC2 instance private subnet?

For example: I RDP into an EC2 instance on the same subnet with the machien that’s hosting the CMS > open a browser > https://10.10.10.10/backend > then post my message?

This is likely because it is not getting passed through the proxy where the rule is.

1 Like

Thanks for the help on this matter, really appreciate it. We’ll test and see if it works. :smiley: