Home > Mobile >  CSRF token verification error in django admin using SSL, nginx
CSRF token verification error in django admin using SSL, nginx

Time:09-19

I have a csrf token error when trying to log in to the django admin in production after adding SSL.

So if I use the configuration below without ssl everything works fine:

upstream app_server {
    server unix:/home/app/run/gunicorn.sock fail_timeout=0;
}

server {
    listen 80;

    # add here the ip address of your server
    # or a domain pointing to that ip (like example.com or www.example.com)
    server_name 107.***.28.***;

    keepalive_timeout 5;
    client_max_body_size 4G;

    access_log /home/app/logs/nginx-access.log;
    error_log /home/app/logs/nginx-error.log;

    location /static/ {
        alias /home/app/static/;
    }

    # checks for static file, if not found proxy to app
    location / {
        try_files $uri @proxy_to_app;
    }

    location @proxy_to_app {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_redirect off;
      proxy_pass http://app_server;
    }
}

But if I change to configuration do listen SSL when filling in any form on the page I get the csrf_token error. My configuration nginx using SSL:

upstream app_server {
    server unix:/home/app/run/gunicorn.sock fail_timeout=0;
}

server {
    #listen 80;

    # add here the ip address of your server
    # or a domain pointing to that ip (like example.com or www.example.com)
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    keepalive_timeout 5;
    client_max_body_size 4G;

    access_log /home/app/logs/nginx-access.log;
    error_log /home/app/logs/nginx-error.log;

    # Compression config
    gzip on;
    gzip_min_length 1000;
    gzip_buffers 4 32k;
    gzip_proxied any;
    gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css;
    gzip_vary on;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    location /static/ {
        alias /home/app/static/;
    }

    # checks for static file, if not found proxy to app
    location / {
        try_files $uri @proxy_to_app;
    }

    location @proxy_to_app {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_redirect off;
      proxy_pass http://app_server;
    }
}

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 80;
    server_name www.example.com;
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl;
    server_name www.example.com;
    return 301 https://example.com$request_uri;
}

How can I fix the error or where to find the bug. I tried to clear cookies, use different browsers, reset the server and server configuration without result.

CodePudding user response:

In Django ≥ 4 it is now necessary to specify CSRF_TRUSTED_ORIGINS in settings.py

CSRF_TRUSTED_ORIGINS = [
    'https://your-domain.com'',
    'https://www.your-domain.com'
]

See documentation

  • Related