403 Forbidden, CSRF verification failed. Referer checking failed, does not match trusted origins

Mark_O_Polo · March 19, 2019, 6:38pm

Greetings,

I could log in fine before I did the Let’s Encrypt SSL. Now I get to the log-in page which is encrypted (green padlock) but when I put in my admin name & password I end up at the 403 page.

The error message is 403 Forbidden, CSRF verification failed. Referer checking failed https://my.server.net/accounts/login/?next=/ does not match any trusted origins.

This is a new install: Debian 9. Seafile 6.3.4 CE, Nginx 1.10.3, MariaDB

I’m not new to Seafile but obviously I’m missing something,

My nginx config and seahub_settings.py are below:


server {
  listen 80;
  server_name my.server.net;

rewrite ^ https://$http_host$request_uri? permanent;

location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /opt/certbot-webroot;
}

}
server {
  listen 443;
  server_name my.server.net;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/my.server.net/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/my.server.net/privkey.pem;

  proxy_set_header X-Forwarded-For $remote_addr;

location / {
         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header Host $host:$server_port;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Host $server_name;
         proxy_read_timeout 1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log /var/log/nginx/seahub.access.log;
         error_log /var/log/nginx/seahub.error.log;
    }

  location /seafhttp {
    rewrite ^/seafhttp(.*)$ $1 break;
    proxy_pass http://127.0.0.1:8082;
    client_max_body_size 0;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_connect_timeout 36000s;
    proxy_read_timeout 36000s;
    proxy_send_timeout 36000s;
  }

  location /media {
    root /opt/seafile/seafile-server-latest/seahub;
  }

  location /seafdav {
    fastcgi_pass 127.0.0.1:8080;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_script_name;
    fastcgi_param SERVER_PROTOCOL $server_protocol;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_param REQUEST_METHOD $request_method;
    fastcgi_param CONTENT_TYPE $content_type;
    fastcgi_param CONTENT_LENGTH $content_length;
    fastcgi_param SERVER_ADDR $server_addr;
    fastcgi_param SERVER_PORT $server_port;
    fastcgi_param SERVER_NAME $server_name;
    fastcgi_param REMOTE_ADDR $remote_addr;
    fastcgi_param HTTPS on;
    client_max_body_size 0;
    access_log /var/log/nginx/seafdav.access.log;
    error_log /var/log/nginx/seafdav.error.log;
  }
}

My seahub_settings.py


# -*- coding: utf-8 -*-
SECRET_KEY = "mysecretkey"

FILE_SERVER_ROOT = 'https://my.server.net/seafhttp'
SITE_BASE        = 'https://my.server.net'
DEBUG            = True



DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'seahub-db',
        'USER': 'seafile',
        'PASSWORD': 'myseafiledbpassword',
        'HOST': '127.0.0.1',
        'PORT': '3306'
    }
}

Any help would be appreciated.

Thanks,
Mark

bionade24 · March 20, 2019, 4:59pm

DUPLICATE
Please search through the forum for similar issues before starting a new thread.

Mark_O_Polo · March 20, 2019, 6:13pm

Already have.

Chrome Problem only, N/A, no answer provided, and my issue exists in all browsers

No custom port in my setup, N/A

Looked liked a potential solution, but “replace proxy_set_header Host $host:$server_port; with proxy_set_header Host $host; in nginx config”. did not provide a working solution, after inputting credentials end up at a white loading screen" with spinning orb. So it did make the error go away but not a usable fix. Maybe it’s a part of the solution, TBD

Have to change back to proxy_set_header Host $host:$server_port; to stop.

If I missed anything please let me know. Otherwise help, would be greatly appreciated!

Thanks,
Mark

hbau · March 20, 2019, 10:57pm

Hi All,

i upgraded my Docker install to latest (6.3.4) and since then i have the same CSRF Problem es described here in ths thread.
In my nginx conf i have proxy_set_header Host $host; automaticaly set, since i’m using the latest Docker image. But still i get the CSRF.
I searched the forum an google and try to place a
CSRF_TRUSTED_ORIGINS = ‘myserver’ in the seahub_settings.py. To no efect
The sugeted solution seafile issues 2118 to add the line
proxy_pass_header Set-Cookie; in the nginx config as well didn’t solve it…
By now I’m at a loss what else i could try.

Anny hints help from anybody here??
Thanx
HBAU

aley · February 19, 2020, 1:18pm

try with
CSRF_TRUSTED_ORIGINS = ['myserver.tld']

Daniel8192 · February 21, 2023, 10:00pm

I am late to this thread, but just experienced this problem. Running Apache as the box’s primary web server, then have Seafile running in Docker with NGINX using alternative ports 1080 and 8443.

I do have Apache do a redirect
RewriteRule ^ https://%{SERVER_NAME}:8443%{REQUEST_URI} [END,NE,R=permanent]

This particular grief was SOLVED by changing the NGINX virtual server file:

Added the alternative port to the proxy_set_header config.

server {
listen 1080;

snip/snip

server {
listen 8443 ssl;

snip/snip

location / {
    proxy_pass http://127.0.0.1:8000/;
    proxy_read_timeout 310s;

proxy_set_header Host $host:8443;

snip/snip

toka · November 23, 2023, 6:18pm

I had to use

CSRF_TRUSTED_ORIGINS = ['https://myserver.tld']

which seems to be needed by django 4.

leisefuxX · November 30, 2023, 5:04pm

stock seafile (docker) and nginx proxy manager here.

worked for me

tomservo · December 1, 2023, 6:29pm

CSRF_TRUSTED_ORIGINS worked for me too, but I would like some more details. Is this just a work-around that should be removed when this bug is fixed, or is this a new config option that should be set when deploying servers from now on?

daniel.pan · December 13, 2023, 2:23am

Please check our FAQ: Seafile FAQ & Known-Issues

In you modified the port mapping, the origin field in the HTTP header received by Django is http{s}://{ip_or_domain}:20080 and the host field in HTTP header is {ip_or_domain} without the custom port. This mismatch results in a CSRF error.

However, in the original HTTP request sent by the browser, the origin and host fields are both http{s}://{ip_or_domain}:20080 . The mismatch is caused by the wrong Nginx setting.

You can correct it by changing Nginx config to the following:

  location / {

        ...

        proxy_set_header Host $http_host;

        ....

The old one is proxy_set_header Host $host; , which does not pass the port part to Django.