#34888: CSRF verification failed in django 4 when nginx serves the webserver
-------------------------------------+-------------------------------------
Reporter: Muhammad | Owner: nobody
Fazel Samarghandi |
Type: Bug | Status: new
Component: CSRF | Version: 4.2
Severity: Normal | Keywords: csrf
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Hi there
I just created a very simple project and dockerize it with docker-compose:
{{{
version: "3.8"
services:
backend:
build:
context: .
command: >
/bin/sh -c "
python manage.py migrate &&
python manage.py runserver 0.0.0.0:8000"
ports:
- 8000:8000
expose:
- 8000
proxy:
image: nginx
volumes:
- type: bind
source: ./proxy/nginx.conf
target: /etc/nginx/conf.d/default.conf
read_only: true
ports:
- 80:80
depends_on:
- backend
}}}
And this is the proxy/nginx.conf:
{{{
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://backend:8000;
proxy_http_version 1.1;
}
}
}}}
And the Dockerfile:
{{{
FROM python:3
WORKDIR /usr/src/app
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
RUN pip install --upgrade pip
COPY ./requirements.txt .
RUN pip install -r requirements.txt
COPY . .
}}}
There is Django==4.2.5 in requirements.txt and django itself is just super
basic and just ALLOWED_HOSTS sets to all.
By running the docker-compose the django can be accessed from port 8000
and 80 by nginx.
The problem is when going to admin panel and send a post request to login,
it returns
{{{
Forbidden (403)
CSRF verification failed. Request aborted.
Reason given for failure:
Origin checking failed - http://127.0.0.1 does not match any trusted
origins.
}}}
and it can't go away with any trick. I also get this in drf and i tried
adding ```CSRF_TRUSTED_ORIGINS```, ```CORS_ALLOWED_ORIGINS``` and even
commented the csrf middleware, but nothing changed.
As soon as i changed the django version to 3.2 the error is fixed
--
Ticket URL: <https://code.djangoproject.com/ticket/34888>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018afb269aa4-ac93aac0-0fc0-4c41-b411-4c40c79e3920-000000%40eu-central-1.amazonses.com.
