CSRF Authentification failed

Infos:

  • Used Zammad version: 3.6.X
  • Used Zammad installation source: Package
  • Operating system: Ubuntu 20.06
  • Browser + version: MS Edge Chromium 86.0.622.69

Expected behavior:

  • Normally i should be able to login with the username and passwords, which are correct.

Actual behavior:

  • There is an error: CSFR Token verification failed

Steps to reproduce the behavior:

  • Just try to login

I’ve set up the System Yesterday, and it worked like it should. but after a restart tomorrow morning, the login wasn’t possible anymore.

You have to change Nginx configuration:
proxy_set_header X-Forwarded-Proto $scheme;
replace with
proxy_set_header X-Forwarded-Proto https;
for “/” and “/ws” path.

This topic is not new, you can search the forum.

Here is the solution you may be interested:

docker run \
	-d \
	--net digitaloak \
	--ip 172.32.0.111 \
	--name zammad-docker-compose_zammad-nginx_1 \
	-ti \
	-p 80 \
	--link zammad-docker-compose_zammad-railsserver_1:zammad-docker-compose_zammad-railsserver_1 \
	--link zammad-docker-compose_zammad-railsserver_1:zammad-railsserver \
	--link zammad-docker-compose_zammad-railsserver_1:zammad-railsserver_1 \
	--link zammad-docker-compose_zammad-websocket_1:zammad-docker-compose_zammad-websocket_1 \
	--link zammad-docker-compose_zammad-websocket_1:zammad-websocket \
	--link zammad-docker-compose_zammad-websocket_1:zammad-websocket_1 \
  --mount source=zammad-docker-compose_zammad-data,target=/opt/zammad \
	-v /home/tm/docker/zammad/nginx/zammad.conf:/etc/nginx/sites-available/default \
	zammad/zammad-docker-compose:zammad-3.5.0-20 zammad-nginx

I know, and thats also a reponse i found, but it didn’t worked.

In my opinion, this just resets my nginx config. or not? because this won’t solve my problem at all. I’ve already tried replacing my nginx config…

Try edit again after “initial” reset, then restart and it should work.

This would have worked if i had installed zammad with docker. But zammad is just replying :
“Unable to find image ‘zammad/zammad-docker-compose:zammad-3.5.0-20’ locally”

Hallo,

i solved the problem by changing the docker-entrypoint.sh script directly in the nginx docker container.
Follow these steps:

Step 1 - enter the container:

docker exec -it zammad-docker-compose_zammad-nginx_1 /bin/bash

Step 2 - install vi editor:

apt-get update && apt-get install vim

Step 3 - edit the config file:

vi /docker-entrypoint.sh

change in the # configure nginx section the option directly to https and save the file (like this):

sed -e "s#proxy_set_header X-Forwarded-Proto .*;#proxy_set_header X-Forwarded-Proto https;#g" \

Step 4 - Leave and restart container

docker container restart zammad-docker-compose_zammad-nginx_1

These steps worked for me

2 Likes

Thanks @pqcomputers ! Worked for me after trying all other options found in documentation and other threads… there seems to be something missing somewhere, because we shouldn’t have to do such a modification.
Here is the list of what I’ve tried without success from the official documentation, and that I have unset to finally only keep your solution :

  • .env variable NGINX_SERVER_SCHEME (and others…) : didn’t work
  • same variable in docker-compose.override.yml : didn’t work
  • modification of my Apache frontend http server : didn’t work

With zammad 4.x the docker image has changed.
For installing vi or nano you need to be root.

So Step 1 is now:
docker exec -u 0 -it zammad-docker-compose_zammad-nginx_1 /bin/bash

Greetings Peter

We also struggled with this today and finally got it working again.
We have Zammad 4.0 behind a Hetzner Cloud Loadbalancer which does HTTPS / SSL and basically forwards Port 443 to Zammads Port 8080 (docker-compose). Note: our loadbalancer is basically only a proxy. We don’t load-balance at the moment… but it is just very easy to setup.

What we did:

  1. Tell Zammad to use http (because we handle HTTPS outside in our loadbalancer proxy)

We could do this in the UI because we still had a user logged in fortunately.

  1. restart Zammad
    docker-compose down
    docker-compose up -d

Basically this answer on github led me to the solution which shows the same thing using the rails console:

docker exec -it zammad-docker-compose_zammad-railsserver_1 bash
rails c
Setting.get('http_type')
=> "https"
Setting.set('http_type','http')
quit
exit
docker-compose down
docker-compose up -d

Why we had this problem at all?

I think what happend to us was this:
Initially this http_type setting is “http”. During our setup we changed it to https without noticing that this had this dramatic effect - because our admin user was still logged in.
But the problem appeared today a few days later, where we had to restart the server. Because then suddenly the “https” was used and other users were kinda locked out (except the admin session which was still logged in).

Bottom line is: if you are running behind an external Loadbalancer which handles SSL/ HTTPS for you, then you should leave the http_type=http.