ajslater
CSRF Failed: Origin checking failed
CSRF Failed: Origin checking failed - https://comics.my.domain does not match any trusted origins.
I used Nginx to add the codex server as a subdomain:
https://comics.my.domain
I believe I just need to add this Django setting:
CSRF_TRUSTED_ORIGINS = ["https://comics.my.domain"]
Is there a config file I can use to add this?
While you could find the settings.py file and add that setting to /usr/lib/python3.*/site-packages/codex/settings/settings.py
You can probably accomplish the same thing by forwarding the correct headers in your nginx config.
Check out this example: https://github.com/ajslater/codex#reverse-proxy
I serve codex from codex.my.home.server.net & codex.sl8r.net with just nginx reverse proxies.
For a more comprehensive example here's /etc/nginx/http.d/codex_sl8r_net.conf from sl8r.net.
This is mounted into a nginx docker container and the codex container is running in the same compose file. Docker has given it the network name 'codex' which I declare as the upstream server at the start. If you're not using docker you would replace codex:9180 with your.codex.server.tld:9810
The X-Forwarded sections are probably most relevant for your CSRF issue.
upstream codex_service {
server codex:9810;
}
server {
listen 80;
server_name codex.sl8r.net;
charset utf-8;
# For letsencrypt
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /srv/www/letsencrypt/;
}
location ~* {
return 301 https://codex.sl8r.net$request_uri;
}
}
# HTTPS servers for codex.sl8r.net
server {
listen 443 ssl http2;
server_name codex.sl8r.net;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/sl8r.net-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sl8r.net-0001/privkey.pem;
ssl_dhparam /etc/nginx/ssl/codex.sl8r.net-dhparam4096.pem;
include ssl/ssl.rules;
include ssl/ssl-ocsp.rules;
ssl_trusted_certificate /etc/letsencrypt/live/sl8r.net-0001/chain.pem;
brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript
application/json application/rss+xml application/vnd.ms-fontobject
application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript
application/xhtml+xml application/xml font/eot font/opentype
font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript
text/plain text/xml;
add_header X-Frame-Options SAMEORIGIN;
add_header Alternate-Protocol 443:h2;
access_log /dev/stdout;
error_log /dev/stdout;
# proxies
# Docs for using variables to force name re-resolution when upstream containers are re-created.
# https://tenzer.dk/nginx-with-dynamic-upstreams/
# proxy_buffering off;
# proxy_buffers 8 64k;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# WS
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
gzip_comp_level 6;
gzip_proxied any;
gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/json application/xml image/svg+xml;
set $codex_upstream http://codex_service;
location / {
proxy_pass $codex_upstream;
}
}