403 Forbidden on Logins (started after update to latest version)

as i wanted to try out the new android app i also thought it to be a great idea to update the board to the latest version. v1.7.0.beta7 +83. andi also updated to the latest docker_manager version.

the android client worked nicely, great work guys

but then i started to realize some odd behaviors. other users confirmed the problems.

chrome (linux): i can still post and do everything (i won’t logout tho, it’s my last working login)
opera (linux): couldn’t post anymore (403 forbidden). after logout, can’t login again (403 forbidden aka unknown error as seen below)
firefox (linux): never used before to access the board, can’t login
chrome (android): i’m still able to browse the board but i can’t post anymore

as i mentioned, other users experience the same strange behavior on their systems (mobile and workstations). with windows and IE as well.

the error message on the login page:

Pasted image735×301 9.36 KB

in the opera network console i can only see the 403 being returned, nothing else of helpful info there.

the log from logs/production.log

Started POST "/session" for MYIP at 2016-11-11 12:27:18 +0000
Processing by SessionController#create as */*
  Parameters: {"login"=>"MYUSERNAME", "password"=>"[FILTERED]"}
Can't verify CSRF token authenticity
  Rendered text template (0.0ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 403 Forbidden in 1ms (Views: 0.3ms | ActiveRecord: 0.0ms)

i deleted all cookies and cleared the cache, didn’t help. i rebuilt the docker container and restarted my server, didn’t help.

i found those topics which seem related but also didn’t help:

• Login - Can't verify CSRF token authenticity
• https://meta.discourse.org/t/vagrant-login-fails-with-unknown-error-caused-by-csrf/23913
• https://meta.discourse.org/t/error-403-forbidden/32039

i also tried incognito windows but also no success to login.

this instance of discourse runs for three years now i and i migrated it to docker when it was time to do so and it always worked more or less smoothly. it runs on a ubuntu 1404. it is not open to public so i cannot provide a URL to test for others.

anyone experienced anything similar? help would really be appreciated.

the only other thing i changed since yesterday is i generated a master api key and later on revoked it. this just as an additional info as i’m not sure if it could have any side effects.

Do you have a nginx reverse proxy outside the docker?

wow you’re fast, couldn’t even finish my edit (sorry for that)

actually yes there is a nginx in front of the docker container. it has usually has a password protection but i removed it to test the android client. i re-enabled the password protection but turned it off again after i realized the problems i am having.

Your nginx is misconfigured. Please read one of the many topics about that.

And remeber that every variable you add to your server can break.

seems odd when you consider it worked in this exact configuration for one year straight and some browsers still work, don’t you think? but thx i will read up on that.

edit:

my current config of that mentioned part:

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header Host $http_host;
  proxy_redirect off;
  # pass to the upstream discourse server mentioned above
  proxy_pass http://127.0.0.1:3377;

my other post got hidden by the bot =)

anyway. this line fixed it

proxy_set_header X-Forwarded-Proto https;

i’m sorry for not having found the other thread. thx for your fast help.