CSRF error on second time clicking Remove or Archive

[ar-nelson]

I have a docker-compose setup with Linkding behind Authelia and Caddy. Most the the application works, but, when I click the Remove or Archive button on any entry for the second time on a given page load, it returns HTTP 403 and a CSRF error. The first click works, and refreshing the page will make it work again, once.

I don't know if this is related to #340. I tried the fix from that issue, but it didn't seem to do anything.

Here is my docker-compose setup for linkding; it's the mustache template used in my Docker config generator, so my local domain and passwords are redacted.

docker-compose.yml (relevant parts only)

  proxy:
    image: caddy:2.6.2
    hostname: proxy
    domainname: proxy.{{ DOMAIN }}
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./config/Caddyfile:/etc/caddy/Caddyfile:ro
    networks:
      default:
        # auth always points to proxy because OAuth requires HTTPS
        aliases:
          - auth
          - auth.{{ DOMAIN }}
 auth:
    image: authelia/authelia:4
    hostname: auth
    domainname: auth.{{ DOMAIN }}
    restart: unless-stopped
    env_file:
      - ./config/auth.env
    volumes:
      - ./config/auth:/config:ro
      - ./config/secrets:/secrets:ro
    networks:
      default:
        aliases:
          - auth-internal
          - auth-internal.{{ DOMAIN }}
  links:
    image: sissbruecker/linkding:latest
    hostname: links
    domainname: links.{{ DOMAIN }}
    restart: unless-stopped
    env_file:
      - ./config/links.env
    networks:
      default:
       aliases:
          - links
          - links.{{ DOMAIN }}

config/links.env

LD_DB_ENGINE=postgres
LD_DB_HOST=db.{{ DOMAIN }}
LD_ENABLE_AUTH_PROXY=True
LD_AUTH_PROXY_USERNAME_HEADER=HTTP_REMOTE_USER
LD_AUTH_PROXY_LOGOUT_URL=https://auth.{{ DOMAIN }}/logout
LD_CSRF_TRUSTED_ORIGINS=https://links.{{ DOMAIN }},http://links.{{ DOMAIN }},https://auth.{{ DOMAIN }},http://auth-internal.{{ DOMAIN }}
LD_DB_PASSWORD={{ POSTGRES_LINKDING_PASSWORD }}

config/Caddyfile (relevant parts only)

auth.{{ DOMAIN }} {
    handle {
        reverse_proxy auth-internal.{{ DOMAIN }}:9091
    }
}
links.{{ DOMAIN }} {
    handle {
        @notapi not path /api/* /static/*
        forward_auth @notapi auth-internal.{{ DOMAIN }}:9091 {
            uri /api/verify?rd=https://auth.{{ DOMAIN }}
            copy_headers Remote-User
        }
        reverse_proxy links.{{ DOMAIN }}:9090
    }
}

[sissbruecker]

This is working for me at least, and I'm not really qualified to help with debugging your setup.

[philipdouglas]

@ar-nelson I'm having exactly the same issue, with a similar setup (using Authelia but with nginx instead of caddy as the reverse proxy). Did you figure out how to fix it?

[jonathan-s]

@ar-nelson @philipdouglas have you tried using SECURE_PROXY_SSL_HEADER. It might be able to solve the issue for you.

[philipdouglas]

@jonathan-s I just tried that, but it doesn't seem to have made a difference. I think this should be correct for nginx:

SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

[jonathan-s]

@philipdouglas there's possibly some more setup required for caddy
https://caddy.community/t/caddy-behind-a-reverse-proxy-use-wrong-x-forwarded-proto/16487

[philipdouglas]

@jonathan-s I'm using nginx. The original poster was using caddy.