Hi, so n00b here. I made a github issue but maybe this is a support request.
I have Diaspora working in a docker container. When I try to make the first account, it fails with a CSRF error on both Chrome and Firefox.
Similar to this issue, but I don’t see a problem in the server headers.
What am I missing?
CHROME GENERAL HEADER INFO
Request URL: https://www.dramawithfriends.com/users/sign_up
Request Method: GET
Status Code: 200 OK
Remote Address: 157.245.89.143:443
Referrer Policy: no-referrer-when-downgrade <-- [Chrome sets this](https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default)
RESPONSE HEADERS
Cache-Control: max-age=0, private, must-revalidate
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Fri, 30 Oct 2020 20:11:58 GMT
ETag: W/"43555b6db57c0f179d534a60ff49c8be"
Server: nginx
Set-Cookie: _diaspora_session=d1dGWU9BMXNST1ZJZDk2WTlJckdqVyt5YkQyY3RRRU5ZY1JKdUZDbS9DOGhpZXdCaHJnY0RzVjBZcHl2ZDZ1Qnh6SVdPVkZ0SzJ0QzU4T2ViRHppcGs3S0d0TWVnTnpKWXV4RXVYWmVXYWplTW1jOTdabFdJMGdERTRueGgrQlBxQ0dtY1dJejcyazdpcXZvdDY4WTBTZ0xqa3NWNUw5alZHZENNOS9xYkNWQmdvdm9wNVBWZ2x5aCtOK0FOd0Erdzl3azFRZHc4cG4zSERJcjRReHh6Zz09LS1VK0svNWx1TUJ3NUNleG1sTm1QSjl3PT0%3D--a4461be6792b86bbf8564309cde4cc7051e7ff9b; path=/; HttpOnly; SameSite=Lax
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Diaspora-Version: 0.7.14.0
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: c7f53df0-bbb8-4c21-8fe5-984a9329f727
X-Runtime: 0.054812
X-XSS-Protection: 1; mode=block
REQUEST HEADERS
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Cookie: _diaspora_session=ajJyN2lIRFFNQUI5MnQ4TTVrR2V3aDUzWXpQSWhSQmRhZjdJQW95b3JSVmNpbVg5Y2xmd01LWDRJZmIvek4zMGdwYjAvNWJtd2RRblV3YndBZ3E5Z2hlMVYwNW1uaHFlYUJObmlnNUl2aWxGSTQwMmJRKzNpUFhxUEVJRnhCaGhjNnRPSnJSVDJjRkxtdHQ4UFhoWFBma0RUMllrMkNpUVFCYWw2cS9XNGRMWmIrN1pKWVBlSUVSamZualV6NUU3aUUyKy9HZUtmNUllMVU5TFNHaTBDQT09LS02OVlGUndZNVJVeUU5Ukh2ZlYwVThBPT0%3D--7dd5a285ae73e711eb669f7dc8faa2b0d0225a3c
DNT: 1
Host: www.dramawithfriends.com
Pragma: no-cache
Referer: https://www.dramawithfriends.com/podmin
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36
In diaspora.yml, I changed these things (from diff)
url: "https://www.dramawithfriends.com/"
require_ssl: false # I'm using nginx as reverse proxy.
assets:
serve: true # I'll configure it to cache later.
I can, of course add_header in the nginx config:
# Forward dramawithfriends.com -> www.dramawithfriends.com
# Forward http -> https
# Serve https://www.dramawithfriends.com
server {
listen 443 ssl;
server_name www.dramawithfriends.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/www.dramawithfriends.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.dramawithfriends.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://diaspora:3000;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
What’s missing in my configuration? Thank you!