• Used Zammad version: 4.1
• Used Zammad installation type: DEB
• Operating system: Ubuntu 20.04
• Browser + version: Safari and Firefox on MacOS

Can´t log in. error “CSRF token verification failed!”

It´s quit a new zammad installation. Working fine since some days. But suddenly we can´t log in any more. It starts with a new client registration.

I had a look here and on version 3.2 and 3.3 and 3.6 are also some issues. Then there should be help with the line
RequestHeader set X_FORWARDED_PROTO ‘https’
RequestHeader set X-Forwarded-Ssl on
in the zammad apache conf
But when I do this the apache does not start anymore.

Here th log, when I try to login:

/opt/zammad/app/controllers/application_controller/prevents_csrf.rb:35:in verify_csrf_token' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:426:in block in make_lambda’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:179:in block (2 levels) in halting_and_conditional' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:34:in block (2 levels) in module:Callbacks’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:180:in block in halting_and_conditional' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:513:in block in invoke_before’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:513:in each' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:513:in invoke_before’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:107:in block in run_callbacks' /opt/zammad/app/controllers/application_controller/handles_transitions.rb:14:in handle_transaction’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:118:in block in run_callbacks' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:136:in run_callbacks’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/callbacks.rb:41:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/rescue.rb:22:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:34:in block in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in block in instrument’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications/instrumenter.rb:23:in instrument' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/notifications.rb:168:in instrument’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/instrumentation.rb:32:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal/params_wrapper.rb:256:in process_action’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activerecord-5.2.4.6/lib/active_record/railties/controller_runtime.rb:24:in process_action' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/abstract_controller/base.rb:134:in process’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionview-5.2.4.6/lib/action_view/rendering.rb:32:in process' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:191:in dispatch’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_controller/metal.rb:252:in dispatch' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:52:in dispatch’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:34:in serve' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:52:in block in serve’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in each' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/journey/router.rb:35:in serve’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/routing/route_set.rb:840:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:420:in call_app!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-saml-1.10.1/lib/omniauth/strategies/saml.rb:89:in other_phase' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:190:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:192:in call!’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb:169:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/omniauth-1.9.1/lib/omniauth/builder.rb:45:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/etag.rb:27:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/conditional_get.rb:40:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/head.rb:12:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/http/content_security_policy.rb:18:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in context’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/cookies.rb:670:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:28:in block in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/callbacks.rb:98:in run_callbacks’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/callbacks.rb:26:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/debug_exceptions.rb:61:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/show_exceptions.rb:33:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:38:in call_app’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in block in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in block in tagged’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:28:in tagged' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/tagged_logging.rb:71:in tagged’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/rack/logger.rb:26:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/remote_ip.rb:81:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/request_id.rb:27:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/method_override.rb:24:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/runtime.rb:22:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/activesupport-5.2.4.6/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/executor.rb:14:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/actionpack-5.2.4.6/lib/action_dispatch/middleware/static.rb:127:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/railties-5.2.4.6/lib/rails/engine.rb:524:in call’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/configuration.rb:228:in call' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:718:in handle_request’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:472:in process_client' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/server.rb:328:in block in run’
/opt/zammad/vendor/bundle/ruby/2.6.0/gems/puma-4.3.8/lib/puma/thread_pool.rb:134:in block in spawn_thread' /opt/zammad/vendor/bundle/ruby/2.6.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in block in create_with_logging_context’
I, [2021-08-06T21:16:53.931500 #959000-47388310455080] INFO – : Completed 401 Unauthorized in 4ms (Views: 0.2ms | ActiveRecord: 2.2ms)
I, [2021-08-06T21:17:13.419263 #959004-47292058950680] INFO – : execute Channel.fetch (try_count 0)…

To much “block…” but It doesn’t say me something.
Any hinds?
Al

Yeah… I know, the following content is for the docker-compose installation, but it might help you investigating and solving your problem. I am passing the call to zammad from a remote nginx, there I collect certificates and this is my machine with listening ports 80/443. Can you provide apache2’s error details?

zammad docker

token error
see CSRF Authentification failed - #11 by synesty
in short:
docker exec -it zammad-docker-compose_zammad-railsserver_1 bash
rails c
Setting.get(‘http_type’)
=> “https”
Setting.set(‘http_type’,‘http’)
quit
exit
docker-compose down
docker-compose up -d

Hi kione
I have tried, but it doesn’t help, because I don’t know how to “translate” it to apache. Here the - very short - Apache error log:
[Sun Aug 08 00:00:22.952220 2021] [mpm_event:notice] [pid 824:tid 140073963588672] AH00489: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured – resuming normal operations

[Sun Aug 08 00:00:22.952241 2021] [core:notice] [pid 824:tid 140073963588672] AH00094: Command line: ‘/usr/sbin/apache2’

[Sun Aug 08 09:36:37.894946 2021] [mpm_event:notice] [pid 824:tid 140073963588672] AH00491: caught SIGTERM, shutting down

[Sun Aug 08 09:37:07.116215 2021] [mpm_event:notice] [pid 864:tid 140713177467968] AH00489: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured – resuming normal operations

[Sun Aug 08 09:37:07.117187 2021] [core:notice] [pid 864:tid 140713177467968] AH00094: Command line: ‘/usr/sbin/apache2’

[Sun Aug 08 09:44:03.472448 2021] [proxy_http:error] [pid 866:tid 140713035548416] (20014)Internal error (specific information not available): [client 45.146.164.110:51432] AH01102: error reading status line from remote server 127.0.0.1:3000

[Sun Aug 08 09:44:03.472497 2021] [proxy:error] [pid 866:tid 140713035548416] [client 45.146.164.110:51432] AH00898: Error reading from remote server returned by /

[Sun Aug 08 09:48:52.612985 2021] [proxy:error] [pid 866:tid 140713010370304] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3000 (127.0.0.1) failed

[Sun Aug 08 09:48:52.613046 2021] [proxy_http:error] [pid 866:tid 140713010370304] [client 46.142.40.65:65245] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 09:48:58.203671 2021] [proxy:error] [pid 866:tid 140712909723392] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3000 (127.0.0.1) failed

[Sun Aug 08 09:48:58.203708 2021] [proxy_http:error] [pid 866:tid 140712909723392] [client 46.142.40.65:65257] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 09:49:10.667497 2021] [proxy:error] [pid 866:tid 140712876152576] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3000 (127.0.0.1) failed

[Sun Aug 08 09:49:10.667543 2021] [proxy_http:error] [pid 866:tid 140712876152576] [client 46.142.40.65:65258] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 09:49:11.975963 2021] [proxy:error] [pid 865:tid 140713145042688] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3000 (127.0.0.1) failed

[Sun Aug 08 09:49:11.976009 2021] [proxy_http:error] [pid 865:tid 140713145042688] [client 46.142.40.65:65259] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 09:49:13.022526 2021] [proxy:error] [pid 865:tid 140712901265152] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3000 (127.0.0.1) failed

[Sun Aug 08 09:49:13.022560 2021] [proxy_http:error] [pid 865:tid 140712901265152] [client 46.142.40.65:65260] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 09:51:43.889856 2021] [proxy:error] [pid 866:tid 140713010370304] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:3000 (127.0.0.1) failed

[Sun Aug 08 09:51:43.889901 2021] [proxy_http:error] [pid 866:tid 140713010370304] [client 46.142.40.65:65359] AH01114: HTTP: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 10:06:46.072719 2021] [mpm_event:notice] [pid 864:tid 140713177467968] AH00491: caught SIGTERM, shutting down

[Sun Aug 08 10:07:00.048624 2021] [mpm_event:notice] [pid 774:tid 139830714375232] AH00489: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f configured – resuming normal operations

[Sun Aug 08 10:07:00.049221 2021] [core:notice] [pid 774:tid 139830714375232] AH00094: Command line: ‘/usr/sbin/apache2’

[Sun Aug 08 10:07:03.218301 2021] [proxy:error] [pid 777:tid 139830656771840] (111)Connection refused: AH00957: WS: attempt to connect to 127.0.0.1:6042 (127.0.0.1) failed

[Sun Aug 08 10:07:03.218372 2021] [proxy_wstunnel:error] [pid 777:tid 139830656771840] [client 46.142.40.65:49770] AH02452: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 10:07:07.847817 2021] [proxy:error] [pid 777:tid 139830579164928] (111)Connection refused: AH00957: WS: attempt to connect to 127.0.0.1:6042 (127.0.0.1) failed

[Sun Aug 08 10:07:07.847865 2021] [proxy_wstunnel:error] [pid 777:tid 139830579164928] [client 46.142.40.65:49793] AH02452: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 10:07:12.438157 2021] [proxy:error] [pid 776:tid 139830503630592] (111)Connection refused: AH00957: WS: attempt to connect to 127.0.0.1:6042 (127.0.0.1) failed

[Sun Aug 08 10:07:12.438216 2021] [proxy_wstunnel:error] [pid 776:tid 139830503630592] [client 46.142.40.65:49794] AH02452: failed to make connection to backend: 127.0.0.1

[Sun Aug 08 10:07:17.052753 2021] [proxy:error] [pid 777:tid 139830570772224] (111)Connection refused: AH00957: WS: attempt to connect to 127.0.0.1:6042 (127.0.0.1) failed

[Sun Aug 08 10:07:17.052792 2021] [proxy_wstunnel:error] [pid 777:tid 139830570772224] [client 46.142.40.65:49796] AH02452: failed to make connection to backend: 127.0.0.1

I can not see problems…
Thanks Al

At this point I see we all need the apache2 vhost.conf. Could you please post it? As well as the Browser Inspector Error output, please.

I don’t find a vhost.conf. Do you meean the zammad.conf in /etc/apache2/sites-available/?

here it is:

<VirtualHost *:80>
# replace ‘localhost’ with your fqdn if you want to use zammad from remote
ServerName http://ticket.008.de

## don't loose time with IP address lookups
HostnameLookups Off

## needed for named virtual hosts
UseCanonicalName On

## configures the footer on server-generated documents
ServerSignature Off

ProxyRequests Off
ProxyPreserveHost On

<Proxy 127.0.0.1:3000>
    Require local
</Proxy>

ProxyPass /assets !
ProxyPass /favicon.ico !
ProxyPass /apple-touch-icon.png !
ProxyPass /robots.txt !
ProxyPass /ws ws://127.0.0.1:6042/
ProxyPass / http://127.0.0.1:3000/

# change this line in an SSO setup

RequestHeader unset X-Forwarded-User

DocumentRoot "/opt/zammad/public"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/opt/zammad/public">
    Options FollowSymLinks
    Require all granted
</Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =ticket.008.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Zammad might created two different configuration files. Try to look for “zammad.conf” and “zammad-le-ssl.conf” under the path “/etc/apache2/sites-available”. While the “zammad.conf” covers the configuration for http, the “zammad-le-ssl.conf” can be modified for https. Try to add
RequestHeader set X_FORWARDED_PROTO 'https’
RequestHeader set X-Forwarded-Ssl on
right above the first ProxyPass entry in the “zammad-le-ssl.conf” file for https.

Two things:

1. I don’t see this being an CSRF issue. The traceback you shared is incomplete. Please ensure to share complete tracebacks - help is otherwise impossible.

2. For the sake of overview for you and everyone else, please edit your existing posts so that all log entries and configurations life in proper code tags.

   Use `` for single lines and
   ``` ``` for multiple lines. This helps others being able to read your post better. I’ve given up trying.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.