Get an 403 due to "CSRF verification failed. Request aborted." (https via reverse proxy)

[tschloss]

I set an Nginx reverse proxy in front of pygmy.

The virtual server accepts both http and https. With http everything is fine.
With https I am getting 403 due to "CSRF verification failed. Request aborted." when sending a POST.

Pretty sure that I need to tweak the outgoing request more - currently I only set the Host header.
I can imagine that the cookie returned does not fit somehow!?

Any hints would be great. Thank you in advance

[tschloss]

I partially solved the issue.

After reading this detailed explanation (https://docs.djangoproject.com/en/4.2/ref/csrf/) and partially understanding it, I played around with the "Origin" header of the request.

I set the Origin now always to "http://$host", no matter if the client used https or not. The downside is that the shortend links always have the http scheme, no matter if the user uses https or http in the UI while creating the link. I can live with it.

The final location directive for my server "x.example.com" looks like this:

	location / {
		#proxy_set_header Host $host;
		proxy_set_header Origin http://$host;
		proxy_pass http://127.0.0.1:8000;
	}