403 Forbidden due to CSRF failure after configuring Apache

[mdekstrand]

I am attempting to run Linkding behind an Apache reverse proxy, and it the CSRF check is failing:

2024-06-10 14:27:48,035 WARNING Forbidden (Origin checking failed - https://links.ekstrandom.net does not match any trusted origins.): /login/

I have read #340. Using wireshark (termshark/tshark), I have confirmed that both Host and Origin seem to be set correctly in the request to Linkding:

[-] Hypertext Transfer Protocol
  [+] POST /login/ HTTP/1.1\r\n
      Host: links.ekstrandom.net\r\n [=]
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:126.0) Gecko/20100101 Firefox/126.0\r\n
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n
      Accept-Language: en-US,en;q=0.5\r\n
      Accept-Encoding: gzip, deflate, br, zstd\r\n
      Referer: https://links.ekstrandom.net/login/?next=/bookmarks\r\n
      Content-Type: application/x-www-form-urlencoded\r\n
      Origin: https://links.ekstrandom.net\r\n

[sissbruecker]

I'm not sure if Wireshark is the right tool here, you want to check what the header values are when Apache proxies the request to linkding. Looking at the error message something seems to go wrong there. As an alternative, consider configuring https://github.com/sissbruecker/linkding/blob/master/docs/Options.md#ld_csrf_trusted_origins

[mdekstrand]

I'm setting trusted origins as a workaround, but the wireshark log is on the loopback interface, capturing exactly what Apache is sending to Linkding (it was the easiest way I could find to capture that without trying to set up additional proxies).