Solved: Bad CSRF when trying to use HTTPS

Miguel_David · May 22, 2018, 9:53am

I have setup discourse with the following stack:

Cloudflare (free plan, SSL and CDN)
AWS Application Load Balancer (not free, does termination of SSL)
AWS EC2 t2.small server
This guide https://github.com/discourse/discourse/blob/master/docs/INSTALL-cloud.md

I wanted the website to be https (who does http anymore?), but quickly banged my head against the wall.

Solutions I found:

do NOT install docker.io from the apt Ubuntu repositories as it is not supported
do NOT add cloudflare template to app.yml
remove the lines everybody is saying to add: proxy_set_header X-Forwarded-Proto https; or as per template proxy_set_header X-Forwarded-Proto $thescheme;

The reason for the last two is that I was getting a Bad CSRF and the reason was (probably) because proxy headers were being changed mid-stream.

I hope this helps somebody not avoid all the time I wasted with what should be a simple one container setup.

itsbhanusharma · May 22, 2018, 9:55am

Those aren’t solutions! those are workarounds with lethal conclusions!
Be prepared for rate limit lockouts!

Topic		Replies	Views
Discourse admin login throws 403 ["BAD CSRF"] error Support	5	1596	September 15, 2020
Discourse Integration Nextcloud bad csrf Installation	2	1004	January 18, 2022
Force Discourse to use SSL/HTTPS through CloudFlare Sysadmins how-to , cloudflare	7	6807	July 21, 2017
Looking for a recent Cloudflare how-to guide Installation	0	493	March 12, 2022
HTTPS through Proxy; Discourse still trying to get files using HTTP Installation	22	1084	May 4, 2020