the idea is that I put caddy in front of nginx. but caddy is on another host so I cannot use the port 3000 from caddy directly (it only listens on localhost). maybe you cna tell me how to change that, then I can go that route.
This usually affects systems with more than one proxy server only. For this to function you may have to tell your web server directly which connection type was used.
Warning
Do not use below options if you’re unsure, they may technically be a security issue!
The following options expect HTTPs connections which should be your goal.
nginx:
Within your virtual host configuration, locate both directives proxy_set_header X-Forwarded-Proto and replace $scheme by https.
I tried this config now, I dont see what I can adjust more.
@Sal
how did you set it up?
for me it also works when I use http in the backend but that is not compatible with SAML-SSO! so I need to define https in Zammad so it understands that users are actually connecting via ssl. as soon as I do that, login fails.
The CSRF functionality is a security functionality for HTTPs connections.
It is not the applications fault that people do not follow documentation (which is there in that order for over 2,5 years by now which says: install, configure web server, continue with first steps).
Any one installing Zammad from a third party documentation that does not include this step has “bad luck”. Sorry, but not our problem people seek other sources.
It’s not suggested to use Zammad via HTTP for (I guess) obvious reasons… right?
The documentation even explicitly mentions these CSRF token errors with a possible workaround if detection goes wrong (which is a web server issue btw): https://docs.zammad.org/en/latest/getting-started/configure-webserver.html
Correct. Do you think this was done to bug people? The contrib file we provide is technically functioning on many installations. There are exclusions and I may re-visit it at some point to verify that this is still the way to do, but the way I’m being “asked” here is not how you motivate me to do things.
Little fun fact, $scheme works -without- any issues on over 1800 installations that I am aware of. Maybe that helps you to understand the scope.
That is not correct at all. Caching of the login page which is there several days until you login may be a situation this occurs too (that’s solvable by a simple reload and working as desired as of now). 99% of these problems are configuration issues.
Don’t get me wrong, I didn’t mean that you have no right. Internet is full of why this error occurs and it can be fixed by L8. And it happens again and again with many other applications.
But Zammad is not just any application. It is a helpdesk tool, you have a layman L8 who just wants to report his problem through this channel, and if maybe he wants to report this error at login, he can’t get through. Because he has never heard of CSRF Token Missmatch.
This is not a problem of the application, but the login mask of the WebGUI that consists of JS could go through these errors, e.g. perform a tab/page reload for users.
We already have the correct configurations from the original documentation. But still comes to these CSRF errors, after loggingoff if tab is not updated, or if users often leave their tab open for a long time, or build helpdesk home page as auto tab start etc.