Hello,
sorry for reposting this but somehow my first report was deleted (and closed, board says by me but surely not).
After updating Seafile CE from 9.0.10
to 11.0.4
, the Seahub login interface is shown as expected but any login attempt ends up in the following CSRF error:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.
I already followed the instructions under 403 Forbidden, CSRF verification failed. Referer checking failed, does not match trusted origins - #10 by daniel.pan and changed proxy_set_header Host $host;
to proxy_set_header Host $http_host;
in my Nginx config but still get the same CSRF error.
When I set DEBUG=True
in seahub_settings.py
I get:
Reason given for failure:
Origin checking failed -https://example.ddns.net
does not match any trusted origins.
Unfortunately I was never able to set up ALLOWED_HOSTS
and CSRF_TRUSTED_ORIGINS
in a working way in my seahub_settings.py
.
- If I set
ALLOWED_HOSTS = ['.example.ddns.net']
orALLOWED_HOSTS = ['.ddns.net']
both causes aBad Request (400)
error so I’ve never activated this setting. - If I set
CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/seafile/']
I still get “CSRF verification failed. Request aborted.”. - If I set
CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/']
I get “502 Bad Gateway nginx/1.18.0”.
So currently CSRF_COOKIE_SECURE = True
and CSRF_COOKIE_SAMESITE = 'Strict'
are the only active CSRF related settings in my seahub_settings.py
.
My Seafile server is running on a dedicated virtual machine behind another virtual machine as reverse proxy. I’m using DynamicDNS with a domain like example.ddns.net
so my Seafile server is accessed via https://example.ddns.net/seafile/
.
Any ideas how I could fix the failed CSRF verification?
If needed, I can show my Nginx config and further logs, of course.