Geoserver 2.15.3/2.16.0 wicket tabs give status 400 – Bad Request Origin does not correspond to request

Description

I upgraded our Docker based geoserver installation from Geoserver 2.15.2 to 2.16.0 or 2.15.3.
All starts fine.
When accessing the StatusPage switching to Modules gives
HTTP Status 400 – Bad Request - "Origin does not correspond to request"
The url of the modules tab is:
/geoserver/web/wicket/bookmarkable/org.geoserver.web.admin.StatusPage?4-1.IBehaviorListener.0-tabs-tabs~container-tabs-1-link&_=1569935811364

We are behind a reverse proxy and configured the proxy url in the global settings.
Acessing the geoserver instance without reverse proxy gives no error and shows the modules tab.

Same problem occurs on other tabs e.g. in the styles page.

Adding csrf whitelist was no solution
<context-param>
<param-name>GEOSERVER_CSRF_WHITELIST</param-name>
<param-value>geodaten.metropoleruhr.de</param-value>
</context-param>

Environment

Docker tomcat:9-jre11

Status

Assignee

Ian Turton

Reporter

Stefan Overkamp

Triage

None

Fix versions

None

Affects versions

2.15.3
2.16.0

Priority

High
Configure