CSRF Error on Login

Infos:

  • Used Zammad version:
    6.2.0-1703848222.b78c3a07.jammy
  • Used Zammad installation type: (source, package, docker-compose, …)
    Package
  • Operating system:
    Ubuntu Server 22.04.3
  • Browser + version:
    Firefox, Chrome

Expected behavior:

  • Able to log in

Actual behavior:

  • Logging in produces error:
    CSRF token verification failed

Steps to reproduce the behavior:

  • Hello. I have our instance set up and working properly with Letsencrypt.
    HTTP redirects to HTTPS properly.
    However if I enable https under System/HTTP type I get the error CSRF token verification failed when trying to log into another session. If I leave it as http everything is working as expected.

What is the function of this setting and is it safe to leave it set to http?

Under both settings the browser is accessing the page using https.

Thanks

Hi @zammad_user_2024. Please have a look at the documentation.

Thank you.
After adding

RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on

to the host config it is working properly

1 Like

I have an additional related issue.

We are using HA Proxy and forwarding both port 80 and 443 to Apache on our Zammad server.

The session list in Zammad is showing the IP of the HA Proxy server instead of the client IP addresses.

I’m guessing because Apache is also proxying to Zammad that the real IP is getting lost.

Hopefully I am describing this clearly enough.
Any suggestions?

Okay I found the solution.

In HAProxy backend for the server that is affected you set:

send-proxy

In the “Per server pass thru” box under Advanced Settings.

Then in your Apache site config you have to include:

RemoteIPProxyProtocol On

As well as enabling the mod_remoteip module.

Hopefully this is helpful to anyone else finding themselves with this type of configuration.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.