In some configurations of CData Arc, such as when hosting CData Arc behind a reverse proxy or Nginx proxy, a login sequence that takes place outside of the local network is unsuccessful, resulting in a 403 Forbidden error. Direct authentication to CData Arc is possible locally.
Arc performs a CSRF (cross-site request forgery) security check that matches the Host and Referer headers in the request to ensure that the user logging into the application is valid, and the login can fail if the host header in the authenticated request is changed.
If you are hosting CData Arc on the embedded Jetty webserver provided with CData Arc, the application can include a special instruction in the arc.properties file to ensure that requests forwarded by Arc include the originating Host header:
cdata.http.proxyMode = true
If you are using a webserver other than the embedded webserver provided with Arc, you will need to make sure that the proxy maintains the Host header when forwarding requests to the application if you wish to login from outside of the proxy.
