CSRF verification failed. Request aborted.

[jrvarma]

I am doing a new install of Etebase (planning to migrate my existing self hosted Etesync 1.0 data to Etebase). I set it up using the instructions in the Readme, Basic Setup and Production Setup. Reached up to the point where nginx is set up to serve the website on port 8000 and communicate with etebase using web port 8001. The admin page comes up correctly but when I enter the superuser credentials, I get the 403 error CSRF verification failed. Request aborted.

I then disabled the nginx site by deleting /etc/nginx/sites-enabled/etebase_nginx.conf and restarting nginx. I then asked uvicorn to serve the site directly on port 8000. When I do this, authentication goes through correctly, and I am presented with the site administration page. So the issue is with some interaction between the etebase_nginx.conf configuration and the etebase.ini configuration. I am not at all familiar with Django, but I understand that CSRF verification failed is related to allowed hosts, but I would think that allowed_host1 = * should cover everything. What else could be going wrong?

Any pointers on how I can debug this?

[daftaupe]

@jrvarma did you try putting your real domain name in allowed_host1 variabel instead of * ? Also do you have proxy_set_header Host $host; in the nginx configuration ?

[jrvarma]

@daftaupe putting my real domain name in allowed_host1 variable did not help. And, yes, I have proxy_set_header Host $host; in the nginx configuration

[jrvarma]

SOLVED

Running with debug = true showed that the actual error was not in allowed hosts but in trusted origins.

Origin checking failed xxx does not match any trusted origins

This was because I am running the server on a non standard port. I edited the line in settings.py to include a hardcoded port

CSRF_TRUSTED_ORIGINS = ... ["http://" + y + ":NNNN" for x, y in ...

And then it worked!

Might be a good idea to read port from the ini file instead.