Csrf 403 error when try login

Yes. proxy_set is nginx.

this is my nginx conf

    server {
    listen 80;
    server_name  cloud.XXX.me www.cloud.XXX.me;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
server_tokens off;
}
server {
    listen 443 http2;
    ssl on;
server_name cloud.XXX.me www.cloud.XXX.me;

    ssl_certificate /etc/letsencrypt/live/cloud.XXX.me/fullchain.pem; # HTTPS CERTBOT
    ssl_certificate_key /etc/letsencrypt/live/cloud.XXX.me/privkey.pem; #HTTPS CERTBOT

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_prefer_server_ciphers on;

add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
    proxy_set_header X-Forwarded-For $remote_addr;

    add_header Strict-Transport-Security "max-age=15552000; always";
    server_tokens off;

location / {
     proxy_pass         http://127.0.0.1:8000;
     proxy_set_header   Host $host;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header   X-Forwarded-Host $server_name;
 proxy_set_header   X-Forwarded-Proto https;
     proxy_read_timeout  1200s;

     # used for view/edit office file via Office Online Server
     client_max_body_size 0;

     access_log      /var/log/nginx/seahub.access.log;
     error_log       /var/log/nginx/seahub.error.log;
}

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    proxy_request_buffering off;
    }
    location /media {
        root /home/cloud/seafile-server-latest/seahub;
    }

}

seahub_settings.py

# -*- coding: utf-8 -*-
SECRET_KEY = "XXXXXXXXXXXXXXXXXXXXXXXXX"

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'XXXXXX-db',
        'USER': 'XXXXXXXXX',
        'PASSWORD': XXXXXXXXXXXXXXXXXXXXXXXXX',
        'HOST': '127.0.0.1',
        'PORT': '3306'
    }
}

EMAIL_USE_TLS = True
EMAIL_BACKEND = 'django_smtp_ssl.SSLEmailBackend'
#EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' 
EMAIL_HOST = 'ssl0.ovh.net'
EMAIL_HOST_USER = 'XXXXXX@XXXXXX.XX'
EMAIL_HOST_PASSWORD = '@XXXXXXXXXXXXXX
EMAIL_PORT = 465
DEFAULT_FROM_EMAIL = EMAIL_HOST_USER
SERVER_EMAIL = EMAIL_HOST_USER
REPLACE_FROM_EMAIL = True
ADD_REPLY_TO_HEADER = True

#DEBUG = True

# For security consideration, please set to match the host/domain of your site, e.g., ALLOWED_HOSTS = ['.example.com'].
# Please refer https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts for details.
ALLOWED_HOSTS = ['.XXXXXXXXXXX.XXX']

ENABLE_WIKI = True

#ENABLE_DEMO_USER = True
#CLOUD_DEMO_USER = 'XXXX@XXXXX.XX'

#BRANDING_CSS = 'custom/custom.css'
#LOGO_PATH = 'custom/mylogo.png'
#LOGO_WIDTH = 250
#LOGO_HEIGHT = 41
#DESKTOP_CUSTOM_BRAND = 'XXXXXXXXXXXXXX'
#DESKTOP_CUSTOM_LOGO = 'custom/desktop-custom-logo.png'
#FAVICON_PATH = 'custom/favicon.png'

# video thumbnails
ENABLE_VIDEO_THUMBNAIL = False
THUMBNAIL_VIDEO_FRAME_TIME = 10  # use the frame at 5 second as thumbnail
THUMBNAIL_ROOT = '/home/cloud/seahub-data/thumbnail/img/'
ENABLE_RESUMABLE_FILEUPLOAD = True
TIME_ZONE = 'Europe/Paris'
ENABLE_TERMS_AND_CONDITIONS = False
ENABLE_SYS_ADMIN_VIEW_REPO = True
SHOW_TRAFFIC = True
LANGUAGE_CODE = 'fr'
SITE_NAME = 'XXXXXXXXXXXXXXXX'
SITE_TITLE = 'XXXXXXXXXXXXXXXXXXXXX'
ENABLE_SHARE_LINK_AUDIT = False
ENABLE_UPLOAD_LINK_VIRUS_CHECK = False
USE_PDFJS = True
FILE_PREVIEW_MAX_SIZE = 40 * 1024 * 1024
ENABLE_THUMBNAIL = True
THUMBNAIL_ROOT = '/home/cloud/seahub-data/thumbnail/img/'
THUMBNAIL_SIZE_FOR_ORIGINAL = 1024
THUMBNAIL_IMAGE_SIZE_LIMIT = 30 # MB
ENABLE_GUEST_INVITATION = True
NOTIFY_ADMIN_AFTER_REGISTRATION = True
ENABLE_USER_CLEAN_TRASH = True
ENABLE_SHARE_TO_ALL_GROUPS = True

# Whether to send email when a system admin adding a new member. Default is `True`.
SEND_EMAIL_ON_ADDING_SYSTEM_MEMBER = True
# Whether to send email when a system staff resetting user's password.
SEND_EMAIL_ON_RESETTING_USER_PASSWD = True

# Interval for browser requests unread notifications
# Since PRO 6.1.4 or CE 6.1.2
UNREAD_NOTIFICATIONS_REQUEST_INTERVAL = 3 * 60 # seconds

# Add the ability of tagging a snapshot of a library (Use ENABLE_REPO_SNAPSHOT_LABEL = True to turn the feature on)
ENABLE_REPO_SNAPSHOT_LABEL = True

# Enable cloude mode and hide `Organization` tab.
CLOUD_MODE = False
# Disable global address book
ENABLE_GLOBAL_ADDRESSBOOK = True
MAX_NUMBER_OF_FILES_FOR_FILEUPLOAD = 2000

# If you don't want to run seahub website on your site's root path, set this option to your preferred path.
# e.g. setting it to '/seahub/' would run seahub on http://example.com/seahub/.
SITE_ROOT = '/'

# Config Memcached ( Http or Socket )
CACHES = {
    'default': {
        'BACKEND': 'django_pylibmc.memcached.PyLibMCCache',
        'LOCATION': '127.0.0.1:11211',
    },
    'locmem': {
        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
    },
}
COMPRESS_CACHE_BACKEND = 'locmem'


ENABLED_ROLE_PERMISSIONS = {
    'default': {
        'can_add_repo': True,
        'can_add_group': True,
        'can_view_org': True,
        'can_use_global_address_book': True,
        'can_generate_share_link': True,
        'can_generate_upload_link': True,
        'can_invite_guest': True,
        'can_connect_with_android_clients': True,
        'can_connect_with_ios_clients': True,
        'can_connect_with_desktop_clients': True,
    },
    'guest': {
        'can_add_repo': False,
        'can_add_group': False,
        'can_view_org': True,
        'can_use_global_address_book': False,
        'can_generate_share_link': False,
        'can_generate_upload_link': False,
        'can_invite_guest': False,
        'can_connect_with_android_clients': False,
        'can_connect_with_ios_clients': False,
        'can_connect_with_desktop_clients': False,
    }
}

# From 6.1.0 CE version on, Seafile support viewing/editing **doc**, **ppt**, **xls** files via LibreOffice
# Add this setting to view/edit **doc**, **ppt**, **xls** files
OFFICE_SERVER_TYPE = 'CollaboraOffice'

# Enable LibreOffice Online
ENABLE_OFFICE_WEB_APP = True

# Url of LibreOffice Online's discovery page
# The discovery page tells Seafile how to interact with LibreOffice Online when view file online
# You should change `https://collabora-online.seafile.com/hosting/discovery` to your actual LibreOffice Online server address
OFFICE_WEB_APP_BASE_URL = 'https://XXXX.XXXXX.XX/hosting/discovery'

# Expiration of WOPI access token
# WOPI access token is a string used by Seafile to determine the file's
# identity and permissions when use LibreOffice Online view it online
# And for security reason, this token should expire after a set time period
WOPI_ACCESS_TOKEN_EXPIRATION = 30 * 60   # seconds

# List of file formats that you want to view through LibreOffice Online
# You can change this value according to your preferences
# And of course you should make sure your LibreOffice Online supports to preview
# the files with the specified extensions
OFFICE_WEB_APP_FILE_EXTENSION = ('odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx')

# Enable edit files through LibreOffice Online
ENABLE_OFFICE_WEB_APP_EDIT = True

# types of files should be editable through LibreOffice Online
OFFICE_WEB_APP_EDIT_FILE_EXTENSION = ('odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx')

ccnet.conf

[General]
USER_NAME = Seafile-Server
ID = X3XXc27f10f635XXXXXXXXXXXXXXXbab92b62eae447
NAME = Seafile-Server
SERVICE_URL = http://XXXXX.XXXXX.mXXX:8000

[Client]
PORT = 13419

[Database]
ENGINE = mysql
HOST = 127.0.0.1
PORT = 3306
USER = XXXXXXXX
PASSWD = @XXXXXXXXXXX......
DB = ccnet-db
CONNECTION_CHARSET = utf8

if you do not use collabora online use this configuration file

seahub_settings.py

# -*- coding: utf-8 -*-
SECRET_KEY = "XXXXXXXXXXXXXXXXXXXXXXXXX"

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'XXXXXX-db',
        'USER': 'XXXXXXXXX',
        'PASSWORD': XXXXXXXXXXXXXXXXXXXXXXXXX',
        'HOST': '127.0.0.1',
        'PORT': '3306'
    }
}

EMAIL_USE_TLS = True
EMAIL_BACKEND = 'django_smtp_ssl.SSLEmailBackend'
#EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend' 
EMAIL_HOST = 'ssl0.ovh.net'
EMAIL_HOST_USER = 'XXXXXX@XXXXXX.XX'
EMAIL_HOST_PASSWORD = '@XXXXXXXXXXXXXX
EMAIL_PORT = 465
DEFAULT_FROM_EMAIL = EMAIL_HOST_USER
SERVER_EMAIL = EMAIL_HOST_USER
REPLACE_FROM_EMAIL = True
ADD_REPLY_TO_HEADER = True

#DEBUG = True

# For security consideration, please set to match the host/domain of your site, e.g., ALLOWED_HOSTS = ['.example.com'].
# Please refer https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts for details.
ALLOWED_HOSTS = ['.XXXXXXXXXXX.XXX']

ENABLE_WIKI = True

#ENABLE_DEMO_USER = True
#CLOUD_DEMO_USER = 'XXXX@XXXXX.XX'

#BRANDING_CSS = 'custom/custom.css'
#LOGO_PATH = 'custom/mylogo.png'
#LOGO_WIDTH = 250
#LOGO_HEIGHT = 41
#DESKTOP_CUSTOM_BRAND = 'XXXXXXXXXXXXXX'
#DESKTOP_CUSTOM_LOGO = 'custom/desktop-custom-logo.png'
#FAVICON_PATH = 'custom/favicon.png'

# video thumbnails
ENABLE_VIDEO_THUMBNAIL = False
THUMBNAIL_VIDEO_FRAME_TIME = 10  # use the frame at 5 second as thumbnail
THUMBNAIL_ROOT = '/home/cloud/seahub-data/thumbnail/img/'
ENABLE_RESUMABLE_FILEUPLOAD = True
TIME_ZONE = 'Europe/Paris'
ENABLE_TERMS_AND_CONDITIONS = False
ENABLE_SYS_ADMIN_VIEW_REPO = True
SHOW_TRAFFIC = True
LANGUAGE_CODE = 'fr'
SITE_NAME = 'XXXXXXXXXXXXXXXX'
SITE_TITLE = 'XXXXXXXXXXXXXXXXXXXXX'
ENABLE_SHARE_LINK_AUDIT = False
ENABLE_UPLOAD_LINK_VIRUS_CHECK = False
USE_PDFJS = True
FILE_PREVIEW_MAX_SIZE = 40 * 1024 * 1024
ENABLE_THUMBNAIL = True
THUMBNAIL_ROOT = '/home/cloud/seahub-data/thumbnail/img/'
THUMBNAIL_SIZE_FOR_ORIGINAL = 1024
THUMBNAIL_IMAGE_SIZE_LIMIT = 30 # MB
ENABLE_GUEST_INVITATION = True
NOTIFY_ADMIN_AFTER_REGISTRATION = True
ENABLE_USER_CLEAN_TRASH = True
ENABLE_SHARE_TO_ALL_GROUPS = True

# Whether to send email when a system admin adding a new member. Default is `True`.
SEND_EMAIL_ON_ADDING_SYSTEM_MEMBER = True
# Whether to send email when a system staff resetting user's password.
SEND_EMAIL_ON_RESETTING_USER_PASSWD = True

# Interval for browser requests unread notifications
# Since PRO 6.1.4 or CE 6.1.2
UNREAD_NOTIFICATIONS_REQUEST_INTERVAL = 3 * 60 # seconds

# Add the ability of tagging a snapshot of a library (Use ENABLE_REPO_SNAPSHOT_LABEL = True to turn the feature on)
ENABLE_REPO_SNAPSHOT_LABEL = True

# Enable cloude mode and hide `Organization` tab.
CLOUD_MODE = False
# Disable global address book
ENABLE_GLOBAL_ADDRESSBOOK = True
MAX_NUMBER_OF_FILES_FOR_FILEUPLOAD = 2000

# If you don't want to run seahub website on your site's root path, set this option to your preferred path.
# e.g. setting it to '/seahub/' would run seahub on http://example.com/seahub/.
SITE_ROOT = '/'

# Config Memcached ( Http or Socket )
CACHES = {
    'default': {
        'BACKEND': 'django_pylibmc.memcached.PyLibMCCache',
        'LOCATION': '127.0.0.1:11211',
    },
    'locmem': {
        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
    },
}
COMPRESS_CACHE_BACKEND = 'locmem'


ENABLED_ROLE_PERMISSIONS = {
    'default': {
        'can_add_repo': True,
        'can_add_group': True,
        'can_view_org': True,
        'can_use_global_address_book': True,
        'can_generate_share_link': True,
        'can_generate_upload_link': True,
        'can_invite_guest': True,
        'can_connect_with_android_clients': True,
        'can_connect_with_ios_clients': True,
        'can_connect_with_desktop_clients': True,
    },
    'guest': {
        'can_add_repo': False,
        'can_add_group': False,
        'can_view_org': True,
        'can_use_global_address_book': False,
        'can_generate_share_link': False,
        'can_generate_upload_link': False,
        'can_invite_guest': False,
        'can_connect_with_android_clients': False,
        'can_connect_with_ios_clients': False,
        'can_connect_with_desktop_clients': False,
    }
}

nginx.conf

user www-data;
worker_processes auto;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
    use epoll; # gestionnaire d'évènements epoll (kernel 2.6+)
}

http {
    include /etc/nginx/mime.types;
    default_type  application/octet-stream;

    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log error;

    sendfile on;
    keepalive_timeout 15;
    keepalive_disable msie6;
    keepalive_requests 100;
    tcp_nopush on;
    tcp_nodelay off;
    server_tokens off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    gzip on;
    gzip_comp_level 5;
    gzip_min_length 512;
    gzip_buffers 4 8k;
    gzip_proxied any;
    gzip_vary on;
    gzip_disable "msie6";
    gzip_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/vnd.ms-fontobject
        font/truetype
        font/opentype
        image/svg+xml;

    include /etc/nginx/sites-enabled/*.conf;
}