docker-healthchecks icon indicating copy to clipboard operation
docker-healthchecks copied to clipboard

Published 20 hours ago verified publisher icon linuxserver

[BUG] CSRF_TRUSTED_ORIGINS environment variable has no affect

Open tensor5g opened this issue 7 months ago • 1 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

Setting CSRF_TRUSTED_ORIGINS as an environment variable appears to do nothing. I have verified that it is correctly set with this command: docker exec -it healthcehcks cat /run/s6/container_environment/CSRF_TRUSTED_ORIGINS After editing local_settings.py with the exact same value as I did in my docker compose, it instantly works.

Expected Behavior

the environment variable should work the same as setting it in local_settings.py, otherwise it should be documented

Steps To Reproduce

After starting server, and going to login or create a user, 403 CSRF error is given.

Environment

- OS: Ubuntu 22.04
- How docker service was installed: https://get.docker.com

CPU architecture

x86-64

Docker creation

docker compose:

services:
  healthchecks:
    image: lscr.io/linuxserver/healthchecks:latest
    container_name: healthchecks
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Chicago
      - SITE_ROOT=https://healthchecks.example.com
      - ALLOWED_HOSTS=192.168.1.200,healthchecks.example.com
      - CSRF_TRUSTED_ORIGINS=["https://healthchecks.example.com"]
      - DEBUG=True #optional
    volumes:
      - /mnt/nas/healthchecks:/config
    ports:
      - 8088:8000
    restart: unless-stopped

nginx:

server {
    listen       443 ssl;
    server_name  healthchecks.example.com;

    location / {
        proxy_pass         http://192.168.1.200:8088;
        proxy_pass_header  X-CSRFToken;

        proxy_set_header   Host               $proxy_host;
        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header   Referer            $http_referer;
        proxy_set_header   X-Forwarded-Host   $http_host;
        proxy_set_header   X-Forwarded-Proto  $scheme;
        proxy_set_header   X-Forwarded-Ssl    https;
    }

    ssl_certificate     /certs/fullchain.pem;
    ssl_certificate_key /certs/privkey.pem;
    
    access_log  /var/log/nginx/hc.log;
}

server {
    listen 80;

    server_name healthchecks.example.com;

    return 301 https://$host;
}

The error is seen from the client as:

Forbidden (403)
CSRF verification failed. Request aborted.

Help
Reason given for failure:

    Origin checking failed - https://healthchecks.example.com does not match any trusted origins.

tensor5g avatar Mar 26 '25 23:03 tensor5g