[octoprint-proxy] login broken after 1.8.3 (CSRF validation failed)

[pooyashahidi]

Hi,

The octoprint proxy stopped workingy with 1.8.3. It is not possible to login anymore: CSRF validation failed
Is there any way to implement a fix for this?

my addon config:

octoprint_host: 172.30.33.222
octoprint_port: 5000
ssl:
  enabled: false
  verify: false

thank you :)

Here is a blog post related to the change.
https://community.octoprint.org/t/i-can-no-longer-login-after-upgrading-to-1-8-3-and-im-accessing-octoprint-through-a-reverse-proxy/46843

[MaxWinterstein]

Will have a look at this. First try was not really a success.

I just found out there is some issue when using another layer of proxy to access home assistant itself, see discussion in #89

[MaxWinterstein]

I tried to solve this, but had no real success so far.

I reworked the addon to use an nginx server instead of the haproxy thing, and added some small script to speed up tweaking the config. The addon should now expose an nginx.conf file at addon_configs, which can be edited e.g. via the Visual Studio Code Add-on, or by accessing it via smb.

Using this config:

error_log /dev/stdout info;

        log_format compression '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent" "$gzip_ratio"';
server {

         access_log /dev/stdout compression;
                  
    listen 8055;

    server_name your_domain asd;
        
    # location / {
    #     proxy_pass http://192.168.1.3:8055;
    #     # include proxy_params;


    # }

    location / {
        access_log /dev/stdout ;


        # if ($scheme != "https") {
        #     rewrite ^ https://$host$uri permanent;
        # }
        # rewrite /api/hassio_ingress/xQK3wdg4Dp7ZbTf3UiX1VwhHVcs2GuOwMRfxnXIQDJg(.*)$ /$1 break;
        proxy_pass http://192.168.1.3:5000;
        # proxy_redirect ~^(.*)$ $scheme://$host/api/hassio_ingress/xQK3wdg4Dp7ZbTf3UiX1VwhHVcs2GuOwMRfxnXIQDJg$1;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Script-Name $http_x_ingress_path;
        proxy_http_version 1.1;
        client_max_body_size 0; 
        

        location /octopi/webcam/ {
            rewrite ^/octopi/webcam/(.*)$ /webcam/$1 break;
            proxy_pass http://192.168.0.167;
            proxy_redirect ~^http://192.168.0.167/(.*)$ $scheme://$host/octopi/$1;
            auth_basic            "Authorization required";
            auth_basic_user_file  /data/access/1;
        }
    }
}

I can access the login page and will see the same error.

The Add-on exposes port 8055 to the outside, so I can verify the proxy itself works when accessing it directly.

When i tweak the entry point to /reverse_proxy_test everything looks fine:

So, I am kinda happy to have this cleaned up a little bit, but still no idea how to solve the issue itself.

Leaving some links here:
https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107