Fresh install 3.2.x: CSRF token verification failed

Technical assistance
41

I also have a fresh install on ubuntu with nginx.
Tried both: changing to “https” instead of “$scheme” and this fix with “map […] $real_scheme”.

I still have the CSRF token failure.
Does anybody have an idea?

Thanks!
Simon

42

No.
Please provide your configuration files.

My forecasting is really bad today.

43

Okay, I tried different options of zammad.conf

First with “https” instead of “$scheme”:

location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto https;

    proxy_read_timeout 86400;
    proxy_pass http://zammad-websocket;
}

location / {
    proxy_set_header Host $http_host;
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto https;

    proxy_read_timeout 300;
    proxy_pass http://zammad-railsserver;

    gzip on;
    gzip_types text/plain text/xml text/css image/svg+xml application/javascript applicat$
    gzip_proxied any;
}

}

Second with “$real scheme”: look here
So this is somewhere:

map $http_x_forwarded_proto $real_scheme {
    default $http_x_forwarded_proto;
    '' $scheme;
}

And after that locations /

location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto $real_scheme;

    proxy_read_timeout 86400;
    proxy_pass http://zammad-websocket;
}

location / {
    proxy_set_header Host $http_host;
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto $real_scheme;

    proxy_read_timeout 300;
    proxy_pass http://zammad-railsserver;

    gzip on;
    gzip_types text/plain text/xml text/css image/svg+xml application/javascript applicat$
    gzip_proxied any;
}

}

Third with letsencypt as instructed here (german)

this is the nginx config for zammad

upstream zammad {
server localhost:3000;
}

upstream zammad-websocket {
server localhost:6042;
}

Added - Automatically redirect HTTP to HTTPS Nginx

server {
listen 80;
server_name kontakt.“domain”.de;
return 301 https://$host$request_uri;
}

Added - HTTPS configuration for Zammad

server {
listen 443 http2 ssl;

ssl_certificate /etc/letsencrypt/live/kontakt.“domain”.de//fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/kontakt.“domain”.de/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

replace ‘localhost’ with your fqdn/domain name if you want to use zammad from remote

server_name kontakt.“domain”.de;

root /opt/zammad/public;

access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;

client_max_body_size 50M;

location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
expires max;
}

location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 86400;
proxy_pass http://zammad-websocket;
}

location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 180;
proxy_pass http://zammad;

gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}

Thanks for any help!
Simon

44

I just set up a new server (Ubuntu on a AWS EC2 Instance) and used the last zammd.conf from above (with letsencypt).
Result is the same: I could do the initial Setup and login twice.
But at the third login I get the CSRF error.
Strange…

45

If you tried it with exactly these directives it can’t work, as the scheme is completely missing…!
You’re missing proxy_set_header X-Forwarded-Proto https; in both directives.

As described here (point 2.1.2): Zammad 3.2 is available

46

Thank you!
For now it is working, let’s see how long it will take for the next CSRF failure :-/

What I tried before:
Using Apache2 instead of nginx.
Worked perfect, until I did a snapshot so that I could try some stuff without loosing all my work.
After running the snapshot (that was working before) on a new instance, I got the CSRF error again.

1 Like
47

the “on a new instance part” is proberbly your issue.
But honestly, black box so that’s absolute fishing in the dark.

48

Hello i just got the mistake
use Zammad under Docker but with traffic for subdomain and LetsEnCrypt.

Which headers do you have to add to fix the error?

Have ever tried “X-Forwarded-Proto: https” but the error remains.

If I still need some, I don’t want to touch the container myself, so I’m looking for the right Traefik settings

49

You’ve already posted your own thread:

Please don’t push your issues with several posts in several places with hoping someone will help you faster that way.

Please don’t get me wrong, but this draws people busy on the same topic more than needed.

I thus will lock this thread to ensure that’s not happening. :slight_smile: