403 Forbidden on Logins (started after update to latest version)

(Squirrel) #1

as i wanted to try out the new android app i also thought it to be a great idea to update the board to the latest version. v1.7.0.beta7 +83. andi also updated to the latest docker_manager version.

the android client worked nicely, great work guys :thumbsup:

but then i started to realize some odd behaviors. other users confirmed the problems.

:white_check_mark: chrome (linux): i can still post and do everything (i won’t logout tho, it’s my last working login)
:no_entry: opera (linux): couldn’t post anymore (403 forbidden). after logout, can’t login again (403 forbidden aka unknown error as seen below)
:no_entry: firefox (linux): never used before to access the board, can’t login
:no_entry: chrome (android): i’m still able to browse the board but i can’t post anymore

as i mentioned, other users experience the same strange behavior on their systems (mobile and workstations). with windows and IE as well.

the error message on the login page:

in the opera network console i can only see the 403 being returned, nothing else of helpful info there.

the log from logs/production.log

Started POST "/session" for MYIP at 2016-11-11 12:27:18 +0000
Processing by SessionController#create as */*
  Parameters: {"login"=>"MYUSERNAME", "password"=>"[FILTERED]"}
Can't verify CSRF token authenticity
  Rendered text template (0.0ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 403 Forbidden in 1ms (Views: 0.3ms | ActiveRecord: 0.0ms)

i deleted all cookies and cleared the cache, didn’t help. i rebuilt the docker container and restarted my server, didn’t help.

i found those topics which seem related but also didn’t help:

i also tried incognito windows but also no success to login.

this instance of discourse runs for three years now i and i migrated it to docker when it was time to do so and it always worked more or less smoothly. it runs on a ubuntu 1404. it is not open to public so i cannot provide a URL to test for others.

anyone experienced anything similar? help would really be appreciated.

the only other thing i changed since yesterday is i generated a master api key and later on revoked it. this just as an additional info as i’m not sure if it could have any side effects.

Can't Login to Discourse - CSRF Token Authenticity
(Rafael dos Santos Silva) #2

Do you have a nginx reverse proxy outside the docker?

(Squirrel) #3

wow you’re fast, couldn’t even finish my edit (sorry for that)

actually yes there is a nginx in front of the docker container. it has usually has a password protection but i removed it to test the android client. i re-enabled the password protection but turned it off again after i realized the problems i am having.

(Rafael dos Santos Silva) #4

Your nginx is misconfigured. Please read one of the many topics about that.

And remeber that every variable you add to your server can break.

(Squirrel) #5

seems odd when you consider it worked in this exact configuration for one year straight and some browsers still work, don’t you think? but thx i will read up on that.


my current config of that mentioned part:

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_redirect off;
  # pass to the upstream discourse server mentioned above

(Squirrel) #6

my other post got hidden by the bot =)

anyway. this line fixed it

proxy_set_header X-Forwarded-Proto https;

i’m sorry for not having found the other thread. thx for your fast help.

(Rafael dos Santos Silva) #7