CSRF Token Verification Failed Issue – Reverse Proxy HTTPS Setup

Technical assistance
1

Infos:

  • Used Zammad version: 6.5.0-53
  • Used Zammad installation type: (source, package, docker-compose, …) (Docker image: Package zammad · GitHub)
  • Operating system: Ubuntu 24.04 LTS
  • Browser + version: * Google Chrome 124 (desktop & mobile), Safari (iOS), Firefox (tested incognito)

Expected behavior:

  • Succesfully log in to self hosted zammad

Actual behavior:

  • CSRF Token Verification Failed on submitting

Steps to reproduce the behavior:

Hey Zammad team :waving_hand:

I’m running into a persistent CSRF token verification failed issue when trying to log in to Zammad, even after setting up a secure HTTPS reverse proxy with proper headers and trusted proxy settings.

:wrench: Setup:

  • Zammad version: Docker Compose (latest stable)
  • Host OS: Ubuntu 24.04
  • Reverse proxy: External NGINX instance (192.168.1.202)
  • Zammad app server: Docker container (192.168.1.220)
  • Domain: support.handle-it.lt
  • HTTPS: Let’s Encrypt SSL (confirmed working)
  • Accessed through: https://support.handle-it.lt

:brick: NGINX config:

nginx

CopyEdit

server {
    listen 443 ssl;
    server_name support.handle-it.lt;

    ssl_certificate /etc/letsencrypt/live/support.handle-it.lt/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/support.handle-it.lt/privkey.pem;

    location / {
        proxy_pass http://192.168.1.220:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Cookie $http_cookie;
        proxy_cookie_path / "/; Secure; HttpOnly; SameSite=None";
    }
}

server {
    listen 80;
    server_name support.handle-it.lt;
    return 301 https://$host$request_uri;
}

:white_check_mark: What I’ve done so far:

  • Ran:

bash

CopyEdit

docker-compose exec zammad-railsserver rails r "Setting.set('trusted_proxies', ['192.168.1.202'])"
  • Restarted all containers (docker-compose restart)
  • Verified headers and cookies in browser devtools
  • Cleared browser cache and cookies, used Incognito mode
  • Tried both desktop and mobile login
  • Cookies like zammad_session and _csrf_token are often missing or inconsistent

:cross_mark: Current issue:

  • Login page loads correctly
  • On submit: CSRF token verification failed
  • WebSocket connects but login is rejected
  • No relevant logs beyond the CSRF message
  • Tried injecting a test cookie via NGINX (which is visible), so SSL + headers seem okay

:sos_button: What else can I check or do?

Let me know if I should test anything else, dump logs, or provide container environment info. Really appreciate your help on this – going nuts :sweat_smile:

:speech_balloon: Thank you in advance! :folded_hands:

2

You may want to check out my topic here ( Installing via Plesk and Fixing Error "CSRF token verification failed" ) for what I did to get it to work.

The main thing I’m seeing missing from your configuration here that helped me is

proxy_set_header X-Forwarded-Ssl on;