Hello,
sorry for reposting this but somehow my first report was deleted (and closed, board says by me but surely not).
After updating Seafile CE from 9.0.10 to 11.0.4, the Seahub login interface is shown as expected but any login attempt ends up in the following CSRF error:
Forbidden (403)
CSRF verification failed. Request aborted.
More information is available with DEBUG=True.
I already followed the instructions under 403 Forbidden, CSRF verification failed. Referer checking failed, does not match trusted origins - #10 by daniel.pan and changed proxy_set_header Host $host; to proxy_set_header Host $http_host; in my Nginx config but still get the same CSRF error.
When I set DEBUG=True in seahub_settings.py I get:
Reason given for failure:
Origin checking failed -https://example.ddns.netdoes not match any trusted origins.
Unfortunately I was never able to set up ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS in a working way in my seahub_settings.py.
- If I set
ALLOWED_HOSTS = ['.example.ddns.net']orALLOWED_HOSTS = ['.ddns.net']both causes aBad Request (400)error so I’ve never activated this setting. - If I set
CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/seafile/']I still get “CSRF verification failed. Request aborted.”. - If I set
CSRF_TRUSTED_ORIGINS = ['https://example.ddns.net/']I get “502 Bad Gateway nginx/1.18.0”.
So currently CSRF_COOKIE_SECURE = True and CSRF_COOKIE_SAMESITE = 'Strict' are the only active CSRF related settings in my seahub_settings.py.
My Seafile server is running on a dedicated virtual machine behind another virtual machine as reverse proxy. I’m using DynamicDNS with a domain like example.ddns.net so my Seafile server is accessed via https://example.ddns.net/seafile/.
Any ideas how I could fix the failed CSRF verification?
If needed, I can show my Nginx config and further logs, of course.
