codex icon indicating copy to clipboard operation
codex copied to clipboard

Published 20 hours ago verified publisher icon ajslater

CSRF Failed: Origin checking failed - https://codex.mysite.com does not match any trusted origins.

Open PhAzE-Variance opened this issue 10 months ago • 1 comments

I have Codex running behind a reverse proxy as a subdomain. For this example it is https://codex.mysite.com. I can log in, however when I try to run admin tasks, I get the following error in the Last Task Queued:

CSRF Failed: Origin checking failed - https://codex.mysite.com does not match any trusted origins.

Here is my nginx config:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name codex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        proxy_set_header   X-Scheme $scheme;

        set $upstream_app 192.168.2.99;
        set $upstream_port 6066;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        # Codex reads http basic authentication.
        # If the nginx credentials are different than codex credentials use this line to
        #   not forward the authorization.
        #proxy_set_header Authorization "";
    }
}

Contents in proxy.conf:

# Proxy Connection Settings
proxy_http_version 1.1;
proxy_redirect http:// $scheme://;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

A quick Google says I need CSRF_TRUSTED_ORIGINS set somewhere, but passing it through the Docker instance doesn't make any difference.

PhAzE-Variance avatar Apr 07 '24 02:04 PhAzE-Variance

I'm not sure.

Your port number is weird, but i assume that's actually fine and you know what you're doing. I wondered if using a wildcard server name might work strangely with nginx and i found this

https://serverfault.com/questions/475772/set-access-control-allow-origin-in-nginx-using-wildcard-domain

Which gives an example of how you might add:

add_header Access-Control-Allow-Origin codex.*

or something.

But i think what i would do is first try using a blank a slate nginx config that nearly exactly matches the one on the codex README and if that works, try adding your own preferred headers back into it a controlled block at a time to see if that's where the issue might be.

ajslater avatar Apr 11 '24 02:04 ajslater