CSRF Authentification failed

PM_Ixium · November 20, 2020, 10:53am

Infos:

Used Zammad version: 3.6.X
Used Zammad installation source: Package
Operating system: Ubuntu 20.06
Browser + version: MS Edge Chromium 86.0.622.69

Expected behavior:

Normally i should be able to login with the username and passwords, which are correct.

Actual behavior:

There is an error: CSFR Token verification failed

Steps to reproduce the behavior:

Just try to login

I’ve set up the System Yesterday, and it worked like it should. but after a restart tomorrow morning, the login wasn’t possible anymore.

tmdoit · November 20, 2020, 2:57pm

You have to change Nginx configuration:
proxy_set_header X-Forwarded-Proto $scheme;
replace with
proxy_set_header X-Forwarded-Proto https;
for “/” and “/ws” path.

This topic is not new, you can search the forum.

tmdoit · November 20, 2020, 3:10pm

Here is the solution you may be interested:

docker compose file modification: https://github.com/zammad/zammad-docker-compose/issues/120#issuecomment-566969621
if you like me did the whole instance configuration and couldn’t or don’t want to replace it with the new one, you can just remove nginx container and start the new one with own configuration. Before removing, inspect nginx container and match below docker run configuration.

docker run \
	-d \
	--net digitaloak \
	--ip 172.32.0.111 \
	--name zammad-docker-compose_zammad-nginx_1 \
	-ti \
	-p 80 \
	--link zammad-docker-compose_zammad-railsserver_1:zammad-docker-compose_zammad-railsserver_1 \
	--link zammad-docker-compose_zammad-railsserver_1:zammad-railsserver \
	--link zammad-docker-compose_zammad-railsserver_1:zammad-railsserver_1 \
	--link zammad-docker-compose_zammad-websocket_1:zammad-docker-compose_zammad-websocket_1 \
	--link zammad-docker-compose_zammad-websocket_1:zammad-websocket \
	--link zammad-docker-compose_zammad-websocket_1:zammad-websocket_1 \
  --mount source=zammad-docker-compose_zammad-data,target=/opt/zammad \
	-v /home/tm/docker/zammad/nginx/zammad.conf:/etc/nginx/sites-available/default \
	zammad/zammad-docker-compose:zammad-3.5.0-20 zammad-nginx

PM_Ixium · November 23, 2020, 7:13am

I know, and thats also a reponse i found, but it didn’t worked.

PM_Ixium · November 23, 2020, 8:34am

In my opinion, this just resets my nginx config. or not? because this won’t solve my problem at all. I’ve already tried replacing my nginx config…

tmdoit · November 24, 2020, 3:37pm

Try edit again after “initial” reset, then restart and it should work.

PM_Ixium · November 26, 2020, 7:28am

This would have worked if i had installed zammad with docker. But zammad is just replying :
“Unable to find image ‘zammad/zammad-docker-compose:zammad-3.5.0-20’ locally”

pqcomputers · December 6, 2020, 9:02pm

Hallo,

i solved the problem by changing the docker-entrypoint.sh script directly in the nginx docker container.
Follow these steps:

Step 1 - enter the container:

docker exec -it zammad-docker-compose_zammad-nginx_1 /bin/bash

Step 2 - install vi editor:

apt-get update && apt-get install vim

Step 3 - edit the config file:

vi /docker-entrypoint.sh

change in the # configure nginx section the option directly to https and save the file (like this):

sed -e "s#proxy_set_header X-Forwarded-Proto .*;#proxy_set_header X-Forwarded-Proto https;#g" \

Step 4 - Leave and restart container

docker container restart zammad-docker-compose_zammad-nginx_1

These steps worked for me

osarrat · March 30, 2021, 4:49pm

Thanks @pqcomputers ! Worked for me after trying all other options found in documentation and other threads… there seems to be something missing somewhere, because we shouldn’t have to do such a modification.
Here is the list of what I’ve tried without success from the official documentation, and that I have unset to finally only keep your solution :

.env variable NGINX_SERVER_SCHEME (and others…) : didn’t work
same variable in docker-compose.override.yml : didn’t work
modification of my Apache frontend http server : didn’t work

pqcomputers · April 27, 2021, 9:03pm

With zammad 4.x the docker image has changed.
For installing vi or nano you need to be root.

So Step 1 is now:
docker exec -u 0 -it zammad-docker-compose_zammad-nginx_1 /bin/bash

Greetings Peter

synesty · May 3, 2021, 6:42pm

We also struggled with this today and finally got it working again.
We have Zammad 4.0 behind a Hetzner Cloud Loadbalancer which does HTTPS / SSL and basically forwards Port 443 to Zammads Port 8080 (docker-compose). Note: our loadbalancer is basically only a proxy. We don’t load-balance at the moment… but it is just very easy to setup.

What we did:

Tell Zammad to use http (because we handle HTTPS outside in our loadbalancer proxy)

image1440×660 51.4 KB

We could do this in the UI because we still had a user logged in fortunately.

restart Zammad
docker-compose down
docker-compose up -d

Basically this answer on github led me to the solution which shows the same thing using the rails console:

github.com/zammad/zammad-docker-compose

New CSRF validation issue on upgrade to 3.4.0-4

opened 12:07PM - 16 Jul 20 UTC

closed 02:08PM - 14 Mar 21 UTC

pjv

enhancement question wontfix

### Infos: * Docker version: 19.03.12 * Docker-compose version: 1.25.4 * Operating system (Docker host): Ubuntu 18.04 ### Expected behavior: Able to log in ### Actual behavior: Not able to log in with CSRF token validation error ### Steps to reproduce the behavior: Try to log in after upgrading from Zammad 3.3X to 3.4.0-4. I had a working docker install of Zammad v 3.3.x running behind an nginx proxy on the host which handles SSL (this host itself is behind cloudflare proxy which provides the SSL certs). I solved prior CSRF token validation issues by using the `zammad.conf` provided [here](https://github.com/zammad/zammad-docker-compose/issues/120#issuecomment-567013772). I upgraded this morning by pulling the latest version of this repo, docker-compose pulling the latest images, and then docker-compose up. Now I have the CSRF token validation error again on trying to log in. I have tried all the prior fixes that I could find from issues here at github and from the zammad forum but nothing works. I have a bunch of customer service agents that are going to arrive at their desks in an hour or two who are not going to be able to log in to Zammad. Any help appreciated. I'm guessing that this issue is somehow related to #166 (by @monotek) but I don't know enough about what those commits are doing to figure out what to try.

docker exec -it zammad-docker-compose_zammad-railsserver_1 bash
rails c
Setting.get('http_type')
=> "https"
Setting.set('http_type','http')
quit
exit
docker-compose down
docker-compose up -d

Why we had this problem at all?

I think what happend to us was this:
Initially this http_type setting is “http”. During our setup we changed it to https without noticing that this had this dramatic effect - because our admin user was still logged in.
But the problem appeared today a few days later, where we had to restart the server. Because then suddenly the “https” was used and other users were kinda locked out (except the admin session which was still logged in).

Bottom line is: if you are running behind an external Loadbalancer which handles SSL/ HTTPS for you, then you should leave the http_type=http.

system · August 31, 2021, 6:43pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.