CSRF Token Error after updating webserver settings (SSL)

  • Used Zammad version: 5.03 (latest from package installer)
  • Used Zammad installation type: package
  • Operating system: Ubuntu 20.04
  • Browser + version: Chrome Version 96.0.4664.110 (64-ibit) & Firefox 95.0.2 (64-bit)

Expected behavior:

Being able to login

Actual behavior:

CSRF error

Steps to reproduce the behavior:

I installed Zammad from fresh on a fresh VM yesterday, everything was functioning as usual (great product also, thank you so much :slight_smile:) until I followed the instructions here.. I guess it was a fresh install but not completely fresh as I’d already made a load of configurations on the front end before installing the ssl etc.

I successfully installed SSL cert from Letsencrypt and then I went onto the Adjusting the webserver configuration. Following these steps to the point, everything seem to continue working until I tried to login today and I’m hitting this error.

I added the two RequestHeader set X_FORWARDED_PROTO ‘https’ & RequestHeader set X-Forwarded-Ssl on just above the first “Proxy Pass” as suggested but this hasn’t solved anything.

Restarted apache2, rebooted etc but no change.

Aside from restoring the snapshot, is there anything I should try?


Config here:

# this is an example apache 2.4 config for zammad
# Please visit https://docs.zammad.org for further input on how to configure
# your apache to work with Zammad

# security - prevent information disclosure about server version
ServerTokens Prod

<VirtualHost *:80>
    ServerName support.youname.co.uk
    Redirect permanent / https://support.youname.co.uk

<VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3

    SSLCertificateFile /etc/letsencrypt/live/support.youname.co.uk/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/support.youname.co.uk/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/support.youname.co.uk/chain.pem
    SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/support.youname.co.uk/dhparam.pem

    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName localhost

    ## don't loose time with IP address lookups
    HostnameLookups Off

    ## needed for named virtual hosts
    UseCanonicalName Off

    ## configures the footer on server-generated documents
    ServerSignature Off

    ProxyRequests Off
    ProxyPreserveHost On

      Require local
    RequestHeader set X_FORWARDED_PROTO 'https'
    RequestHeader set X-Forwarded-Ssl on
    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /apple-touch-icon.png !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://
    ProxyPass /

    # change this line in an SSO setup
    RequestHeader unset X-Forwarded-User

    # Use settings below if proxying does not work and you receive HTTP-Errror 404
    # if you use the settings below, make sure to comment out the above two options
    # This may not apply to all systems, applies to openSuse
    #ProxyPass /ws ws:// "retry=1 acque=3000 timeout=600 keepalive=On"
    #ProxyPass / "retry=1 acque=3000 timeout=600 keepalive=On"

    DocumentRoot "/opt/zammad/public"

    <Directory />
        Options FollowSymLinks
        AllowOverride None

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
              Require all granted

From my notes I also had to change…


CSRF Authentification failed on login errors

You have to change Nginx configuration:
proxy_set_header X-Forwarded-Proto $scheme;

replace with
proxy_set_header X-Forwarded-Proto https;

for “/” and “/ws” path.


Thanks but I’m using Apache :slight_smile:

Managed to solve this with the tip from this post


1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.