Closed MrCybertux closed 1 year ago
@MrCybertux is this a new installation? or did you already use it normally?
we are checking the situation to simulate the problem based on your information
@MrCybertux is this a new installation? or did you already use it normally?
we are checking the situation to simulate the problem based on your information
It is new we finalized the setup today
To debug this further, try setting the following in your nginx config: proxy_set_header Origin "";
A few questions:
A few questions:
- Which browser are you using?
- You are running into this issue when trying to log in (making a POST request). What happens when you simply load the login page? Does the page load over HTTP or HTTPS?
- Are you changing origin and referrer headers via nginx?
Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version
The REFERRER_POLICY was set to no-referrer
I will try same-origin
and report back the result
Do X-Content-Type-Options matter?
no-referrer
will definitely cause this issue. There could be other reasons too but let's start by replacing no-referrer
. X-Content-Type-Options
does not matter.
@MrCybertux I was able to reproduce your problem and configure it to work properly, you need to add the X-Forwarded-Proto header to the configuration file in Nginx.
I am trying with pure Nginx, in my case it was only necessary to add the proxy_set_header X-Forwarded-Proto $scheme to the configuration file.
Please test and tell us if it worked correctly
Setting same-origin
in bunkerized nginx via the environment variable REFERRER_POLICY
worked
Doc: https://bunkerized-nginx.readthedocs.io/en/v1.3.2/environment_variables.html#security-headers
Thanks for your help and fast responses. 👍🏻
Describe the bug After setting up ParkPow behind a reverse Proxy all request going through the Proxy are getting a CSFR error
To Reproduce Steps to reproduce the behavior:
Expected behavior Have ParkPow available over TLS
Desktop (please complete the following information):
Additional context Log entries
2023-05-23 13:39:55 [WARNING] [/opt/pysetup/.venv/lib/python3.11/site-packages/django/utils/log.py:241]: Forbidden (Origin checking failed - null does not match any trusted origins.): /accounts/login/
() {72 vars in 1485 bytes} [Tue May 23 13:39:55 2023] POST /accounts/login/ => generated 1019 bytes in 3 msecs (HTTP/1.1 403) 7 headers in 229 bytes (1 switches on core 2)