"CSRF verification failed" error after upgrading from CE 9.0.10 top 11.0.4

Hello,

sorry for reposting this but somehow my first report was deleted (and closed, board says by me but surely not).

After updating Seafile CE from 9.0.10 to 11.0.4, the Seahub login interface is shown as expected but any login attempt ends up in the following CSRF error:

Forbidden (403)

CSRF verification failed. Request aborted.

More information is available with DEBUG=True.

I already followed the instructions under 403 Forbidden, CSRF verification failed. Referer checking failed, does not match trusted origins - #10 by daniel.pan and changed proxy_set_header Host $host; to proxy_set_header Host $http_host; in my Nginx config but still get the same CSRF error.

When I set DEBUG=True in seahub_settings.py I get:

Reason given for failure:
Origin checking failed - https://example.ddns.net does not match any trusted origins.

Unfortunately I was never able to set up ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS in a working way in my seahub_settings.py.

  • If I set ALLOWED_HOSTS = ['.example.ddns.net'] or ALLOWED_HOSTS = ['.ddns.net'] both causes a Bad Request (400) error so I’ve never activated this setting.
  • If I set CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/seafile/'] I still get “CSRF verification failed. Request aborted.”.
  • If I set CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/'] I get “502 Bad Gateway nginx/1.18.0”.

So currently CSRF_COOKIE_SECURE = True and CSRF_COOKIE_SAMESITE = 'Strict' are the only active CSRF related settings in my seahub_settings.py.

My Seafile server is running on a dedicated virtual machine behind another virtual machine as reverse proxy. I’m using DynamicDNS with a domain like example.ddns.net so my Seafile server is accessed via https://example.ddns.net/seafile/.

Any ideas how I could fix the failed CSRF verification?

If needed, I can show my Nginx config and further logs, of course.

If I set CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/'] I get “502 Bad Gateway nginx/1.18.0”.

According to the upgrade docs, this should be the correct one… Have you tried to leave out the last trailing “/” after the domain, by chance? Just an idea… my own installation is still pending the update from 10.0.1, so I will perhaps have more experience in a few days.

1 Like

ccording to the upgrade docs, this should be the correct one… Have you tried to leave out the last trailing “/” after the domain, by chance? Just an idea…

Than you so much! :man_bowing: CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net'] instead of CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/'] is the solution. But I already made a rollback to version 9, have to try out the uipgrade again and will report back when it’s done.