Cannot get rid of 403 csrf verification failed on 11.0.6

hi all,

I have read all the forum posts and fixed regarding the csrf error on seafile CE 11 but somehow none of the fixes helped getting rid of the issue. I still get the error whenever I try to login into the web interface. Any help is much appreciated. My configs are below. I am running the docker installation behind a dockerized nginx reverse proxy

seahub_settings.py:

# -*- coding: utf-8 -*-
SECRET_KEY = "secret"

FILE_SERVER_ROOT = "https://seafile.mydomain.com/seafhttp"
LOGIN_ATTEMPT_LIMIT = 3
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
CSRF_TRUSTED_ORIGINS = ['https://seafile.mydomain.com']
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'seahub_db',
        'USER': 'seafile',
        'PASSWORD': 'password',
        'HOST': 'seafile-db',
        'PORT': '3306'
    }
}



ENABLE_THUMBNAIL = True

SITE_NAME = 'Seafile Server'
SITE_TITLE = 'Seafile'
TIME_ZONE = 'Europe/Berlin'

EMAIL_USE_SSL= True
EMAIL_HOST = 'smtp.mail.com'
EMAIL_HOST_USER = 'mail@mydomain.com'
EMAIL_HOST_PASSWORD = 'password'
EMAIL_PORT = 465
DEFAULT_FROM_EMAIL = 'webmaster+seafile@mydomain.com'
SERVER_EMAIL = 'webmaster+seafile@mydomain.com'

# enable webdav secrets
ENABLE_WEBDAV_SECRET = True

# Preview file settings
TEXT_PREVIEW_EXT = """ac, am, bat, c, cc, cmake, cpp, cs, css, csv, diff, el, h, html, htm, java, js, json, less, make, org, php, pl, properties, py, rb, scala, script, sh, sql, txt, text, tex, vi, vim, xhtml, xml, log, groovy, rst, patch, go"""

# Enable Only Office
ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = True
ONLYOFFICE_JWT_SECRET = 'myjwtsecret'
ONLYOFFICE_APIJS_URL = 'https://seafile.mydomain.com/ds-vpath/web-apps/apps/api/documents/api.js'
ONLYOFFICE_FILE_EXTENSION = ('doc', 'docx', 'ppt', 'pptx', 'xls', 'xlsx', 'odt', 'fodt', 'odp', 'fodp', 'ods', 'fods')
ONLYOFFICE_EDIT_FILE_EXTENSION = ('docx', 'pptx', 'xlsx')
SERVICE_URL = 'https://seafile.mydomain.com'

nginx site conf:

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

# for notification server
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server {
        listen       80;
        server_name  seafile.mydomain.com;
        rewrite ^ https://$http_host$request_uri? permanent;    # Forced redirect from HTTP to HTTPS
        server_tokens off;
}


# main server section
server {

  server_name seafile.mydomain.com www.seafile.mydomain.com;
  listen 443 ssl;
  http2 on;
  server_tokens off;
  include /etc/nginx/ssl.conf; # set ssl parameters
  include /etc/nginx/default_headers.conf;

  proxy_cookie_path / "/; Secure; SameSite=strict"; # HTTPOnly removed due to incompatibility

  location / {

    resolver 127.0.0.11 valid=10s ipv6=off;
    set $seafile http://seafile-server:80;

    proxy_pass $seafile;
    proxy_set_header   Host $http_host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Host $server_name;
    proxy_read_timeout 1200s;
    proxy_set_header   X-Forwarded-Proto https;
    proxy_request_buffering off;

    # used for view/edit office file via Office Online Server
    client_max_body_size 0;

    access_log      /var/log/nginx/seahub.access.log seafileformat;
    error_log       /var/log/nginx/seahub.error.log;
  }

    location /dav {

    resolver 127.0.0.11 valid=10s ipv6=off;
    proxy_pass http://seafile-server/dav;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_read_timeout 1200s;
    proxy_request_buffering off;
    client_max_body_size 0;

   # webdav move issue fix:
    proxy_set_header Destination "http:$nossl_destination";

    access_log /var/log/nginx/seadav.access.log seafileformat;
    error_log /var/log/nginx/seadav.error.log;
    }

    location /notification/ping {
        proxy_pass http://seafile-server:8083/ping;
        access_log      /var/log/nginx/seafile-notif.access.log;
        error_log       /var/log/nginx/seafile-notif.error.log;
    }

    location /notification {
        proxy_pass http://seafile-server:8083/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        access_log      /var/log/nginx/seafile-notif.access.log;
        error_log       /var/log/nginx/seafile-notif.error.log;
    }

  location /ds-vpath/ {
    resolver 127.0.0.11 valid=10s ipv6=off;
    set $onlyoffice http://seafile-documentserver:80;
    rewrite ^/ds-vpath/(.*) /$1 break;

    proxy_pass $onlyoffice;
    add_header X-Frame-Options SAMEORIGIN;
    client_max_body_size 500M; # Limit Document size to 100MB
    proxy_read_timeout 3600s;
    proxy_connect_timeout 3600s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $proxy_connection;ยด
    proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
    proxy_set_header X-Forwarded-Proto $the_scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

# Required for only office document server
map $http_x_forwarded_proto $the_scheme {
        default $http_x_forwarded_proto;
        "" $scheme;
    }

map $http_x_forwarded_host $the_host {
        default $http_x_forwarded_host;
        "" $host;
    }

map $http_upgrade $proxy_connection {
        default upgrade;
        "" close;
    }

# webdav move fix
map $http_destination $nossl_destination {

  "~^https:(.+)$" $1;
  "~^http:(.+)$" $1;

/etc/nginx/default_headers.conf:

  # Default Headers
  add_header Allow "GET, POST, HEAD" always;
  add_header X-Frame-Options "DENY" always;
  add_header X-Content-Type-Options nosniff always;
  add_header X-XSS-Protection "0" always;
  add_header X-Robots-Tag none always;
  add_header Referrer-Policy "no-referrer" always;
  add_header Permissions-Policy "geolocation=();midi=();notifications=(self);push=(self);sync-xhr=();microphone=();camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
  add_header X-Download-Options noopen;

/etc/nginx/ssl.conf:

  # SSL Settings
  ssl_certificate /etc/nginx/ssl/mydomain.com_ecc/mydomain.com.fullchain;
  ssl_certificate_key /etc/nginx/ssl/mydomain.com_ecc/mydomain.com.key;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;

  # modern configuration
  ssl_protocols TLSv1.2 TLSv1.3;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  add_header Strict-Transport-Security "max-age=63072000 ; includeSubDomains" always;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /etc/nginx/ssl/mydomain.com_ecc/mydomain.com.ca;

  # Load DH / curve parameters - any benefit with TLSv1.3?
  ssl_dhparam /etc/nginx/ssl/mydomain.com_ecc/dhparams4096.pem;
  ssl_ecdh_curve X448:secp384r1;

  # SSL cipher suites

   ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
   ssl_prefer_server_ciphers off;

@daniel.pan any idea how to solve this?

Maybe you can turn on DEBUG mode of Dango and check why Dango think your host is not in CSRF_TRUSTED_ORIGINS.