Gophish does not handle traffic when configured for high availability

[eviert]

Thanks for reaching out! We're happy to help resolve issues as quickly as possible.

Please use this template when creating a new issue. If you do not follow this template format, your issue may be closed without comment.

Before filing a new issue, please use the search bar at the top of the browser to search for similar issues. Also, please make sure you have read our documentation, which covers how to use Gophish.

What version of Gophish are you using?: 0.9.0

Brief description of the issue: When placing Gophish on a containerized system with 2 containers and a load balancer, Gophish is unable to maintain session connection. Gophish will generate a invalid CSRF error or return you to the login page even though you have a valid cookie.

What are you expecting to see happen? : Gophish maintain connection regardless of which container it is serving up the information.

What are you seeing happen? Gophish generates invalid CSRF and/or returns you to login even though you have a valid session.

If this question is related to email templates or landing pages not working as expected, please provide your template or landing page below:

Please provide any terminal output that may be relevant below:

N/A

Please provide as many steps as you can to reproduce the problem:

• Step 1 - Install Gophish in a container or server
• Step 2 - configure the admin interface for TLS
• Step 3 - Crate multiple instances of Gophish (pods or individual servers)
• Step 4 - Create a Target group with the pods or servers
• Step 5 - Create a load balancer that points to the target group
• Step 6 - Begin sending traffic to Gophish via the load balancer
• Step 7 - Gophish will generate an invalid CSRF error or redirect to login page
• Step 8 - Reduce the number of servers to 1, issue goes away

Does this imply that Gophish is a stateful service?

[jordan-wright]

Hey @eviert,

Thanks for the report. This behavior was expected, since each instance of Gophish would have generated their own CSRF key on initialization.

Since supporting H/A use cases is something that I want to cover with Gophish, I've added a configuration value called csrf_key that you can add to the admin_server section of the config.

You can generate a sample CSRF key using something like python -c 'import secrets; print(secrets.token_hex(32))'.

I hope this helps!

[eviert]

Hi @jordan-wright,

Got to trying the csrf_key value and test to see if the error goes away. After testing, the issue persists. I configured the csrf_token value generated the value using python3 using the recommendation provided. The pattern is as follows:

1. created multiple pods
2. Added them to target group
3. Try to sign-in
4. Server returns to the login page
5. Sign-in again, server returns to sign-in page
6. Several attempts later, I receive and invalid CSRF token error
7. Process repeats

Any thoughts on what might be causing the issue even after adding the csrf_key value?

Thanks!