linuxserver
[BUG] CSRF_TRUSTED_ORIGINS environment variable has no affect
Is there an existing issue for this?
- [x] I have searched the existing issues
Current Behavior
Setting CSRF_TRUSTED_ORIGINS as an environment variable appears to do nothing. I have verified that it is correctly set with this command: docker exec -it healthcehcks cat /run/s6/container_environment/CSRF_TRUSTED_ORIGINS After editing local_settings.py with the exact same value as I did in my docker compose, it instantly works.
Expected Behavior
the environment variable should work the same as setting it in local_settings.py, otherwise it should be documented
Steps To Reproduce
After starting server, and going to login or create a user, 403 CSRF error is given.
Environment
- OS: Ubuntu 22.04
- How docker service was installed: https://get.docker.com
CPU architecture
x86-64
Docker creation
docker compose:
services:
healthchecks:
image: lscr.io/linuxserver/healthchecks:latest
container_name: healthchecks
environment:
- PUID=1000
- PGID=1000
- TZ=America/Chicago
- SITE_ROOT=https://healthchecks.example.com
- ALLOWED_HOSTS=192.168.1.200,healthchecks.example.com
- CSRF_TRUSTED_ORIGINS=["https://healthchecks.example.com"]
- DEBUG=True #optional
volumes:
- /mnt/nas/healthchecks:/config
ports:
- 8088:8000
restart: unless-stopped
nginx:
server {
listen 443 ssl;
server_name healthchecks.example.com;
location / {
proxy_pass http://192.168.1.200:8088;
proxy_pass_header X-CSRFToken;
proxy_set_header Host $proxy_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer $http_referer;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl https;
}
ssl_certificate /certs/fullchain.pem;
ssl_certificate_key /certs/privkey.pem;
access_log /var/log/nginx/hc.log;
}
server {
listen 80;
server_name healthchecks.example.com;
return 301 https://$host;
}
The error is seen from the client as:
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
Origin checking failed - https://healthchecks.example.com does not match any trusted origins.
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I've just done a quick test with my existing setup and I can't replicate this, setting
- CSRF_TRUSTED_ORIGINS=["https://healthchecks.example.com"]
Continues to work as before (if CSRF_TRUSTED_ORIGINS is not set we default to the SITE_ROOT).
Not sure what to say, it doesn't work for me, even after updating to latest docker image. I use the exact same line in the .py config as I do in the docker compose, and it works in one place but doesn't in the other.
I've found my solution so we don't need to troubleshoot this further. I think it might be beneficial to make a note of this somewhere in case other people are in the same boat as me. Or maybe the existence of this issue thread is good enough.
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.
Not sure what to say, it doesn't work for me, even after updating to latest docker image. I use the exact same line in the .py config as I do in the docker compose, and it works in one place but doesn't in the other.
I've found my solution so we don't need to troubleshoot this further. I think it might be beneficial to make a note of this somewhere in case other people are in the same boat as me. Or maybe the existence of this issue thread is good enough.
For me is was my Reverse Proxy Settings. Needed to add
http-request set-header Host %[req.hdr(host)] http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-For %[src]
This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.