after updates this weeking I now have the same CSRF problem (Apache reverse on Ubuntu server). Monday Morning… something really broke it…
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
helpded so far…
The problem is e.g. a LoadBalancer or an SSL accelerator in front of the Nginx. As a result, the field X-Forwarded-Proto is overwritten incorrectly (http) by $scheme.
the following config can fix the problem:
map $http_x_forwarded_proto $real_scheme {
default $http_x_forwarded_proto;
‘’ $scheme;
}proxy_set_header X-Forwarded-Proto $real_scheme;
1 Like
Thanks, this solution worked for me as well.
Blockquote
I have changed
proxy_set_header X-Forwarded-Proto $scheme;
to
proxy_set_header X-Forwarded-Proto https;
I have changed this under / and /ws in location, in the port 80-section strangely enough. I am using https, but these two lines are in the non-ssl section and need to be changed there.
I am running Debian 9 and did a clean install of Zammad 3.1.0 which I later upgraded to 3.2.0. I don’t have any reverse proxies, load balancers or anything. It’s just a ‘default installation’.
1 Like
Just for info: When using haproxy in front of zammad, adding these lines for the backend config solved the problem so far:
…
http-request set-header X-Forwarded-Ssl on
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
…
Thx, this solved my problem.
Any news on this? An upgrade to 3.2.0 is not possible this way for us. I’m not using nginx as reverse-proxy so the workaround in this thread is not helpful.
Any chance to revert this behavior in a subsequent version?
We provided a solution for apache and nginx.
If you’re using neither of these webservers you’re swimming out of our scope and suggestions.
Sorry, we cannot help further.
negative.
Damn. Thanks for the reply.
Would this be something that can be “bought” via Zammads consulting services?
Depending on what you’re running as a proxy I honestly can’t tell you right away, we’d need to check this.
Reason behind this is that we can’t provide you support services we are not capable of providing.
So in short: We’d hate to sell a service to you that we have no knowledge in. It wouldn’t bring you further.
Edit: But please feel free to contact us, we’ll gladly check if we can help in a meaningfull way 
I understand. Thank your for the reply though. I guess we need to switch to nginx then.
All the best.
1 Like
I also have a fresh install on ubuntu with nginx.
Tried both: changing to “https” instead of “$scheme” and this fix with “map […] $real_scheme”.
I still have the CSRF token failure.
Does anybody have an idea?
Thanks!
Simon
No.
Please provide your configuration files.
My forecasting is really bad today.
Okay, I tried different options of zammad.conf
First with “https” instead of “$scheme”:
location /ws { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header CLIENT_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 86400; proxy_pass http://zammad-websocket; } location / { proxy_set_header Host $http_host; proxy_set_header CLIENT_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300; proxy_pass http://zammad-railsserver; gzip on; gzip_types text/plain text/xml text/css image/svg+xml application/javascript applicat$ gzip_proxied any; }}
Second with “$real scheme”: look here
So this is somewhere:
map $http_x_forwarded_proto $real_scheme { default $http_x_forwarded_proto; '' $scheme; }
And after that locations /
location /ws { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header CLIENT_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $real_scheme; proxy_read_timeout 86400; proxy_pass http://zammad-websocket; } location / { proxy_set_header Host $http_host; proxy_set_header CLIENT_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $real_scheme; proxy_read_timeout 300; proxy_pass http://zammad-railsserver; gzip on; gzip_types text/plain text/xml text/css image/svg+xml application/javascript applicat$ gzip_proxied any; }}
Third with letsencypt as instructed here (german)
this is the nginx config for zammad
upstream zammad {
server localhost:3000;
}upstream zammad-websocket {
server localhost:6042;
}Added - Automatically redirect HTTP to HTTPS Nginx
server {
listen 80;
server_name kontakt.“domain”.de;
return 301 https://$host$request_uri;
}Added - HTTPS configuration for Zammad
server {
listen 443 http2 ssl;ssl_certificate /etc/letsencrypt/live/kontakt.“domain”.de//fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kontakt.“domain”.de/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;replace ‘localhost’ with your fqdn/domain name if you want to use zammad from remote
server_name kontakt.“domain”.de;
root /opt/zammad/public;
access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;client_max_body_size 50M;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
expires max;
}location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 86400;
proxy_pass http://zammad-websocket;
}location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 180;
proxy_pass http://zammad;gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}
Thanks for any help!
Simon
I just set up a new server (Ubuntu on a AWS EC2 Instance) and used the last zammd.conf from above (with letsencypt).
Result is the same: I could do the initial Setup and login twice.
But at the third login I get the CSRF error.
Strange…
If you tried it with exactly these directives it can’t work, as the scheme is completely missing…!
You’re missing proxy_set_header X-Forwarded-Proto https; in both directives.
As described here (point 2.1.2): Zammad 3.2 is available
Thank you!
For now it is working, let’s see how long it will take for the next CSRF failure :-/
What I tried before:
Using Apache2 instead of nginx.
Worked perfect, until I did a snapshot so that I could try some stuff without loosing all my work.
After running the snapshot (that was working before) on a new instance, I got the CSRF error again.
1 Like
the “on a new instance part” is proberbly your issue.
But honestly, black box so that’s absolute fishing in the dark.
Hello i just got the mistake
use Zammad under Docker but with traffic for subdomain and LetsEnCrypt.
Which headers do you have to add to fix the error?
Have ever tried “X-Forwarded-Proto: https” but the error remains.
If I still need some, I don’t want to touch the container myself, so I’m looking for the right Traefik settings
You’ve already posted your own thread:
Please don’t push your issues with several posts in several places with hoping someone will help you faster that way.
Please don’t get me wrong, but this draws people busy on the same topic more than needed.
I thus will lock this thread to ensure that’s not happening. 