[GH-ISSUE #1449] Bug: can't set CSRF_TRUSTED_ORIGINS, preventing login when behind a load balancer #3883

New issue

Open

opened 2026-03-15 00:50:31 +03:00 by kerem · 4 comments

kerem commented 2026-03-15 00:50:31 +03:00

Owner

Copy link

Originally created by @ethitter on GitHub (Jun 5, 2024).
Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1449

Describe the bug

We're trying to run ArchiveBox in AWS Fargate, with the container accessed via an AWS ALB. We've set ALLOWED_HOSTS to the default of *, but cannot log in due to the CSRF protection on the login page. With debug enabled, we're stuck at this error:

Forbidden (403)
CSRF verification failed. Request aborted.

Reason given for failure:

    Origin checking failed - https://[REDACTED] does not match any trusted origins.

Per the Django docs, we need to set CSRF_TRUSTED_ORIGINS, but that doesn't seem possible right now.

Steps to reproduce

1. Run ArchiveBox using the dev image, behind load balancer
2. Set ALLOWED_HOSTS envar to *
3. Attempt to log in

Screenshots or log output

ArchiveBox version

# archivebox version
0.8.1
ArchiveBox v0.8.1 COMMIT_HASH=ba14ee0 BUILD_TIME=2024-06-04 11:21:00 1717500060
IN_DOCKER=True IN_QEMU=False ARCH=x86_64 OS=Linux PLATFORM=Linux-5.10.216-204.855.amzn2.x86_64-x86_64-with-glibc2.36 PYTHON=Cpython
FS_ATOMIC=True FS_REMOTE=True FS_USER=0:0 FS_PERMS=644
DEBUG=True IS_TTY=True TZ=UTC SEARCH_BACKEND=ripgrep LDAP=False

[i] Dependency versions:
 √  PYTHON_BINARY         v3.11.9         valid     /usr/local/bin/python3.11
 √  SQLITE_BINARY         v2.6.0          valid     /usr/local/lib/python3.11/sqlite3/dbapi2.py
 √  DJANGO_BINARY         v5.0.6          valid     /usr/local/lib/python3.11/site-packages/django/__init__.py
 √  ARCHIVEBOX_BINARY     v0.8.1          valid     /usr/local/bin/archivebox

 √  CURL_BINARY           v8.8.0          valid     /usr/bin/curl
 √  WGET_BINARY           v1.21.3         valid     /usr/bin/wget
 √  NODE_BINARY           v20.14.0        valid     /usr/bin/node
 √  SINGLEFILE_BINARY     v1.1.54         valid     /app/node_modules/single-file-cli/single-file
 √  READABILITY_BINARY    v0.0.11         valid     /app/node_modules/readability-extractor/readability-extractor
 √  MERCURY_BINARY        v1.0.0          valid     /app/node_modules/@postlight/parser/cli.js
 √  GIT_BINARY            v2.39.2         valid     /usr/bin/git
 √  YOUTUBEDL_BINARY      v2024.05.27     valid     /usr/local/bin/yt-dlp
 √  CHROME_BINARY         v125.0.6422.26  valid     /usr/bin/chromium-browser
 √  RIPGREP_BINARY        v13.0.0         valid     /usr/bin/rg

[i] Source-code locations:
 √  PACKAGE_DIR           31 files        valid     /app/archivebox
 √  TEMPLATES_DIR         3 files         valid     /app/archivebox/templates

[i] Data locations:
 √  OUTPUT_DIR            6 files @       valid     /data
 √  CONFIG_FILE           375.0 Bytes     valid     ./ArchiveBox.conf
 √  SQL_INDEX             328.0 KB        valid     ./index.sqlite3
 √  ARCHIVE_DIR           0 files         valid     ./archive
 √  SOURCES_DIR           0 files         valid     ./sources
 √  LOGS_DIR              1 files         valid     ./logs
 X  CACHE_DIR             missing         invalid   ./cache
 X  CUSTOM_TEMPLATES_DIR  missing         invalid   ./templates
 X  PERSONAS_DIR          missing         invalid   ./personas

Originally created by @ethitter on GitHub (Jun 5, 2024). Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1449 <!-- Please fill out the following information, feel free to delete sections if they're not applicable or if long issue templates annoy you. (the only required section is the version information) --> #### Describe the bug <!-- A description of what the bug is, what you expected to happen, and any relevant context about issue. --> We're trying to run ArchiveBox in AWS Fargate, with the container accessed via an AWS ALB. We've set `ALLOWED_HOSTS` to the default of `*`, but cannot log in due to the CSRF protection on the login page. With debug enabled, we're stuck at this error: ``` Forbidden (403) CSRF verification failed. Request aborted. Reason given for failure: Origin checking failed - https://[REDACTED] does not match any trusted origins. ``` Per the Django docs, we need to set `CSRF_TRUSTED_ORIGINS`, but that doesn't seem possible right now. #### Steps to reproduce <!-- For example: 1. Ran ArchiveBox with the following config '...' 2. Saw this output during archiving '....' 3. UI didn't show the thing I was expecting '....' --> 1. Run ArchiveBox using the `dev` image, behind load balancer 2. Set `ALLOWED_HOSTS` envar to `*` 3. Attempt to log in #### Screenshots or log output <!-- If applicable, post any relevant screenshots or copy/pasted terminal output from ArchiveBox. If you're reporting a parsing / importing error, **you must paste a copy of your redacted import file here**. --> #### ArchiveBox version <!-- Run the `archivebox version` command locally then copy paste the result here: --> ```logs # archivebox version 0.8.1 ArchiveBox v0.8.1 COMMIT_HASH=ba14ee0 BUILD_TIME=2024-06-04 11:21:00 1717500060 IN_DOCKER=True IN_QEMU=False ARCH=x86_64 OS=Linux PLATFORM=Linux-5.10.216-204.855.amzn2.x86_64-x86_64-with-glibc2.36 PYTHON=Cpython FS_ATOMIC=True FS_REMOTE=True FS_USER=0:0 FS_PERMS=644 DEBUG=True IS_TTY=True TZ=UTC SEARCH_BACKEND=ripgrep LDAP=False [i] Dependency versions: √ PYTHON_BINARY v3.11.9 valid /usr/local/bin/python3.11 √ SQLITE_BINARY v2.6.0 valid /usr/local/lib/python3.11/sqlite3/dbapi2.py √ DJANGO_BINARY v5.0.6 valid /usr/local/lib/python3.11/site-packages/django/__init__.py √ ARCHIVEBOX_BINARY v0.8.1 valid /usr/local/bin/archivebox √ CURL_BINARY v8.8.0 valid /usr/bin/curl √ WGET_BINARY v1.21.3 valid /usr/bin/wget √ NODE_BINARY v20.14.0 valid /usr/bin/node √ SINGLEFILE_BINARY v1.1.54 valid /app/node_modules/single-file-cli/single-file √ READABILITY_BINARY v0.0.11 valid /app/node_modules/readability-extractor/readability-extractor √ MERCURY_BINARY v1.0.0 valid /app/node_modules/@postlight/parser/cli.js √ GIT_BINARY v2.39.2 valid /usr/bin/git √ YOUTUBEDL_BINARY v2024.05.27 valid /usr/local/bin/yt-dlp √ CHROME_BINARY v125.0.6422.26 valid /usr/bin/chromium-browser √ RIPGREP_BINARY v13.0.0 valid /usr/bin/rg [i] Source-code locations: √ PACKAGE_DIR 31 files valid /app/archivebox √ TEMPLATES_DIR 3 files valid /app/archivebox/templates [i] Data locations: √ OUTPUT_DIR 6 files @ valid /data √ CONFIG_FILE 375.0 Bytes valid ./ArchiveBox.conf √ SQL_INDEX 328.0 KB valid ./index.sqlite3 √ ARCHIVE_DIR 0 files valid ./archive √ SOURCES_DIR 0 files valid ./sources √ LOGS_DIR 1 files valid ./logs X CACHE_DIR missing invalid ./cache X CUSTOM_TEMPLATES_DIR missing invalid ./templates X PERSONAS_DIR missing invalid ./personas ``` <!-- Tickets without full version info will closed until it is provided, we need the full output here to help you solve your issue -->

kerem commented 2026-03-15 00:50:37 +03:00

Author

Owner

Copy link

@dotfrankruan commented on GitHub (Jun 9, 2024):

Same problem here

archivebox-1  | "GET /admin/login/ HTTP/1.0" 200 12531
archivebox-1  | Forbidden (Origin checking failed - https://xxxxxxxx does not match any trusted origins.): /admin/login/
archivebox-1  | "POST /admin/login/ HTTP/1.0" 403 1018

<!-- gh-comment-id:2156396321 --> @dotfrankruan commented on GitHub (Jun 9, 2024): Same problem here ``` archivebox-1 | "GET /admin/login/ HTTP/1.0" 200 12531 archivebox-1 | Forbidden (Origin checking failed - https://xxxxxxxx does not match any trusted origins.): /admin/login/ archivebox-1 | "POST /admin/login/ HTTP/1.0" 403 1018 ```

kerem commented 2026-03-15 00:50:42 +03:00

Author

Owner

Copy link

@carsaig commented on GitHub (Jun 11, 2024):

same issue here. Any suggestions? Pulled it up on two different hosts. No success.

<!-- gh-comment-id:2161077663 --> @carsaig commented on GitHub (Jun 11, 2024): same issue here. Any suggestions? Pulled it up on two different hosts. No success.

kerem commented 2026-03-15 00:50:48 +03:00

Author

Owner

Copy link

@lkubb commented on GitHub (Jun 11, 2024):

same issue here. Any suggestions?

This can be worked around either via https://github.com/ArchiveBox/ArchiveBox/pull/866#issuecomment-2158201512 or by mounting a modified https://github.com/ArchiveBox/ArchiveBox/blob/dev/archivebox/core/settings.py that includes the necessary CSRF_TRUSTED_ORIGINS = ["https://my.archivebox.domain"] over the original inside the container at /app/archivebox/core/settings.py

<!-- gh-comment-id:2161389165 --> @lkubb commented on GitHub (Jun 11, 2024): > same issue here. Any suggestions? This can be worked around either via https://github.com/ArchiveBox/ArchiveBox/pull/866#issuecomment-2158201512 or by mounting a modified https://github.com/ArchiveBox/ArchiveBox/blob/dev/archivebox/core/settings.py that includes the necessary `CSRF_TRUSTED_ORIGINS = ["https://my.archivebox.domain"]` over the original inside the container at `/app/archivebox/core/settings.py`

kerem commented 2026-03-15 00:50:53 +03:00

Author

Owner

Copy link

@nguyenmp commented on GitHub (Oct 21, 2024):

FYI, the environment variable CSRF_TRUSTED_ORIGINS overrides anything in settings.py so when I copied the example docker compose file from the repo, it carried CSRF_TRUSTED_ORIGINS=https://archivebox.example.com with it. I was able to figure it out by going to http://localhost:8000/admin/environment/config/ and reading the actual value set.

<!-- gh-comment-id:2427125470 --> @nguyenmp commented on GitHub (Oct 21, 2024): FYI, the environment variable `CSRF_TRUSTED_ORIGINS` overrides anything in `settings.py` so when I copied [the example docker compose file from the repo](https://github.com/ArchiveBox/ArchiveBox/blob/dev/docker-compose.yml#L24), it carried `CSRF_TRUSTED_ORIGINS=https://archivebox.example.com` with it. I was able to figure it out by going to http://localhost:8000/admin/environment/config/ and reading the actual value set.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

main

abx-dl-refactor

claude/issue-1688-20251229-2233

claude/s3-support-migration-JZQcf

claude/review-snapshot-archive-RJOkr

claude/review-code-quality-macdO

claude/reduce-chrome-duplication-JgWVr

fix/chrome-args-comma-parsing

claude/issue-668-20251229-2145

claude/issue-1664-20251229-2236

v086

claude/improve-test-suite-xm6Bh

claude/typescript-archivebox-rewrite-011CUmPyEmECnkXwyHRT9RPF

claude/archivebox-schema-orm-comparison-011CUn26GurEpLiBUq4zjVLJ

stable

logfire

plugins-browsertrix

v072

link-removal2

v0.8.6rc1

v0.7.3

v0.8.6rc0

v0.8.5rc53

v0.8.5rc51

v0.8.5rc50

v0.8.5rc49

v0.8.5rc48

v0.8.5rc47

v0.8.5rc46

v0.8.5rc45

v0.8.5rc44

v0.8.5rc43

v0.8.5rc42

v0.8.5rc41

v0.8.5rc40

v0.8.5rc39

v0.8.5rc38

v0.8.5rc37

v0.8.5rc36

v0.8.5rc35

v0.8.5rc34

v0.8.5rc33

v0.8.5rc32

v0.8.5rc31

v0.8.5rc30

v0.8.5rc29

v0.8.5rc28

v0.8.5rc27

v0.8.5rc26

v0.8.5rc25

v0.8.5rc24

v0.8.5rc23

v0.8.5rc22

v0.8.5rc13

v0.8.5rc12

v0.8.5rc11

v0.8.5rc10

v0.8.5rc9

v0.8.5rc8

v0.8.5rc6

v0.8.5rc5

v0.8.5rc4

v0.8.5rc3

v0.8.5rc2

v0.8.5-rc

v0.8.4-rc

v0.8.3-rc

v0.8.2-rc

v0.8.0-rc

v0.7.2

v0.7.1

v0.7.0

v0.6.2

v0.6.0

v0.5.6

v0.5.4

v0.5.3

v0.4.24

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.9

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.0

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

expected: maybe someday

  

expected: next release

  

expected: release after next

  

expected: unlikely unless contributed

  

good first ticket

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

scope: all users

  

scope: windows users

  

size: easy

  

size: hard

  

size: medium

  

size: medium

  

status: backlog

  

status: blocked

  

status: done

  

status: idea-phase

  

status: needs followup

  

status: wip

  

status: wontfix

  

touches: API/CLI/Spec

  

touches: configuration

  

touches: data/schema/architecture

  

touches: dependencies/packaging

  

touches: docs

  

touches: js

  

touches: views/replayers/html/css

  

why: correctness

  

why: functionality

  

why: performance

  

why: security

No labels

expected: maybe someday

expected: next release

expected: release after next

expected: unlikely unless contributed

good first ticket

help wanted

pull-request

scope: all users

scope: windows users

size: easy

size: hard

size: medium

size: medium

status: backlog

status: blocked

status: done

status: idea-phase

status: needs followup

status: wip

status: wontfix

touches: API/CLI/Spec

touches: configuration

touches: data/schema/architecture

touches: dependencies/packaging

touches: docs

touches: js

touches: views/replayers/html/css

why: correctness

why: functionality

why: performance

why: security

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ArchiveBox#3883

No description provided.