CSRF on [hostname]/accounts/password/reset/

[ferdinandyb]

I'm trying to set this up (version 0.4). I think I've been following the manuals, and got to the point where I could open the web interface, and as suggested, wanted to ask for a password-reset in email. Unfortunately, that leads to a 403 error, complaining about CSRF.

I have SERVE_FROM_DOMAIN=[myhost] and nginx set up as

    location / {
            proxy_pass http://127.0.0.1:8000;
            include uwsgi_params;
            uwsgi_read_timeout 300;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;

    }

Any ideas what could be going wrong here?

[kolumdium]

Sadly I just arrived at the same error.
Did you have any luck debugging this?

[ferdinandyb]

@kolumdium no, I haven't investigated further yet.

[veixus]

while trying to get the docker-containers running, i stumbled across this error too. I have investigated that this error is due to django CSRF check. I was able to fix it with this new nginx config line:

proxy_set_header X-Forwarded-Proto https;

Seems, that if the internal traffic goes over http and suddenly you have https traffic then the site thinks theres some errors and breaks.

Please someone test this out - just default setup :

server {

   listen 443 ssl default_server;
   listen [::]:443 ssl default_server;

   server_name MY_SERVER_NAME;
   location /static/ {
        alias /opt/mailman/web/static/;
   }

   location / {
           proxy_pass http://127.0.0.1:8000;
           proxy_set_header Host $host;
           proxy_set_header X-Forwarded-For $remote_addr;
           proxy_set_header X-Forwarded-Proto https;
   }
   ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
   ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

}

[github-actions]

This issue has not been updated for more than 1year

[lispstudent]

I am having same issue.

[lispstudent]

But, adding the line as indicated above:

proxy_set_header X-Forwarded-Proto https;

I get 502 Bad Gateway.