GeoServer behind proxy returning 403

I’m running a GeoServer 2.17.1 that is sitting behind a proxy that handles the TLS termination and send the HTTP traffic to GeoServer.

The issue is that when I’m accessing trough HTTPS to the web admin interface, I can’t make any change that contains a form as I get an HTTP 403 response. But doing the same trough plain HTTP the requests return OK

My first thought was that it had to be an issue with the Origin beeing now https://mydomain.com instead of http://mydomain.com and also found this link in the documentation about CSRF Protection and issues with proxies.

Adding the environment variable GEOSERVER_CSRF_WHITELIST that it mentions, solved this issue.

But now I wanted to add a CORS policy, so I added

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,OPTIONS</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Origin,Access-Control-Request-Method,Content-Type,X-Requested-With,Accept,Access-Control-Request-Headers</param-value>
    </init-param>
</filter>


<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

To /usr/local/tomcat/conf/web.xml. The cors filter worked, but once added the issue with the forms and receiving 403 returned.

I’ve been testing this but it seems to that these two configurations are conflicting with each other. AS they work separately but not in tandem

I’ve also tried with other GeoServer version (2.16.4) but the issue remains

Anyone can help me understanding why this can be happening? I would like to enable HTTP -> HTTPS redirection but this issue is preventing me from doing that

---

Edit:
Adding logs:

logs for configuration with CORS in /usr/local/tomcat/conf/web.xml
and the env variable

logs for config with only the env variable

And the tomcat access log that show the 403 when trying to a add a new workspace

[...]
172.20.0.5 - - [06/Aug/2020:08:12:19 +0000] "GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.data.workspace.WorkspaceNewPage HTTP/1.0" 302 -
172.20.0.5 - - [06/Aug/2020:08:12:19 +0000] "GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.data.workspace.WorkspaceNewPage?6 HTTP/1.0" 200 4970
172.20.0.5 - - [06/Aug/2020:08:12:20 +0000] "POST /geoserver/web/wicket/bookmarkable/org.geoserver.web.data.workspace.WorkspaceNewPage?6-1.IFormSubmitListener-form HTTP/1.0" 403 -
172.20.0.5 - - [06/Aug/2020:08:12:22 +0000] "GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.data.workspace.WorkspaceNewPage?6 HTTP/1.0" 200 4970

To summarize, I want to enable CORS and to use the web admin interface trough HTTPS, for this I tried different configs:

• Only setting the env variable GEOSERVER_CSRF_WHITELIST with my domain (the web admin works)
• Only adding the Cors config in tomcat root conf /usr/local/tomcat/conf/web.xml (Works and send the Allow-Origins headers)
• Set the env variable and the cors config (Only the cors works, but the web admin don’t and receive 403)
• Cors config in the webapp geoserver dir /usr/local/tomcat/webapps/geoserver/WEB-INF/web.xml (doesn’t work and can’t log in as I get a 403)