starred/healthchecks

Fork 0

mirror of https://github.com/healthchecks/healthchecks.git synced 2026-04-25 23:15:49 +03:00

[GH-ISSUE #640] Origin checking failed error #463

New issue

Closed

opened 2026-02-25 23:42:33 +03:00 by kerem · 4 comments

kerem commented

2026-02-25 23:42:33 +03:00

Owner

Originally created by @nathanielread on GitHub (Apr 21, 2022).
Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/640

Receiving this error in the logs:

Forbidden (Origin checking failed - https://example.com does not match any trusted origins.)

Running under docker-compose, using traefik as a reverse proxy and keycloak/gatekeeper as SSO. Existing postgres instance not shown below.
Using the REMOTE_USER_HEADER functionality to login, which works.

To get around the error, I had to add this line:

CSRF_TRUSTED_ORIGINS = os.getenv("CSRF_TRUSTED_ORIGINS", "*").split(",")

in this file:
./hc/settings.py

And then I added the following env variable to the docker compose below:
CSRF_TRUSTED_ORIGINS

Was there a better way to get around that error?


  healthchecks:
    container_name: healthchecks
    build:
        context: $DOCKERDIR/appdata/healthchecks
        dockerfile: $DOCKERDIR/appdata/healthchecks/docker/Dockerfile
    command: bash -c 'while !</dev/tcp/postgres/5432; do sleep 1; done; uwsgi /opt/healthchecks/docker/uwsgi.ini'
    image: healthchecks:local
    restart: always
    networks:
      - t2_proxy
    environment:
      - DEFAULT_FROM_EMAIL=$FROM_EMAIL
      - EMAIL_HOST=$MAILJET_SMTP_SERVER
      - EMAIL_HOST_USER=$MAILJET_USERNAME
      - EMAIL_HOST_PASSWORD=$MAILJET_PASSWORD
      - SECRET_KEY=$HEALTHCHECKS_SECRET_KEY
      - REMOTE_USER_HEADER=HTTP_X_AUTH_EMAIL
      - REMOTE_USER_HEADER_TYPE=EMAIL
      - DB=postgres
      - DB_HOST=$POSTGRES_IP
      - DB_NAME=healthchecks
      - DB_PORT=5432
      - DB_USER=$HEALTHCHECKS_DB_USERNAME
      - DB_PASSWORD=$HEALTHCHECKS_DB_PASSWORD
      - ALLOWED_HOSTS=healthchecks,localhost,healthchecks.$DOMAINNAME,$DOMAINNAME
      - CSRF_TRUSTED_ORIGINS=https://healthchecks.$DOMAINNAME
      - SITE_ROOT=https://healthchecks.$DOMAINNAME

  gatekeeper_healthchecks:
    image: quay.io/gogatekeeper/gatekeeper:1.3.8
    restart: always
    container_name: gatekeeper_healthchecks
    command: --resources $GATEKEEPER_INTERNAL
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges:true
    entrypoint:
      - /opt/gatekeeper/gatekeeper
    environment:
      - PROXY_DISCOVERY_URL=$DISCOVERY_URL
      - PROXY_CLIENT_ID=$HEALTHCHECKS_CLIENT_ID
      - PROXY_CLIENT_SECRET=$HEALTHCHECKS_CLIENT_SECRET
      - PROXY_ENCRYPTION_KEY=$HEALTHCHECKS_ENCRYPTION_KEY
      - PROXY_LISTEN=:3000
      - PROXY_ENABLE_REFRESH_TOKEN=true
      - PROXY_UPSTREAM_URL=http://healthchecks:8000
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.healthchecks-gate.entrypoints=https"
      - "traefik.http.routers.healthchecks-gate.rule=Host(`healthchecks.$DOMAINNAME`)"
      - "traefik.http.routers.healthchecks-gate.tls=true"
      - "traefik.http.routers.healthchecks-gate.tls.certresolver=dns-cloudflare"
      ## HTTP Services
      - "traefik.http.routers.healthchecks-gate.service=healthchecks-gatesvc"
      - "traefik.http.services.healthchecks-gatesvc.loadbalancer.server.port=3000"
      ## Flame
      - flame.type=application
      - flame.name=Healthchecks
      - flame.url=https://healthchecks.$DOMAINNAME
      - flame.icon=space-station

Also, I added this to the uwsgi.ini to fix issues with SSO redirects:

buffer-size = 32768

Originally created by @nathanielread on GitHub (Apr 21, 2022). Original GitHub issue: https://github.com/healthchecks/healthchecks/issues/640 Receiving this error in the logs: ``` Forbidden (Origin checking failed - https://example.com does not match any trusted origins.) ``` Running under docker-compose, using traefik as a reverse proxy and keycloak/gatekeeper as SSO. Existing postgres instance not shown below. Using the REMOTE_USER_HEADER functionality to login, which works. To get around the error, I had to add this line: ``` CSRF_TRUSTED_ORIGINS = os.getenv("CSRF_TRUSTED_ORIGINS", "*").split(",") ``` in this file: ./hc/settings.py And then I added the following env variable to the docker compose below: CSRF_TRUSTED_ORIGINS Was there a better way to get around that error? ``` healthchecks: container_name: healthchecks build: context: $DOCKERDIR/appdata/healthchecks dockerfile: $DOCKERDIR/appdata/healthchecks/docker/Dockerfile command: bash -c 'while !</dev/tcp/postgres/5432; do sleep 1; done; uwsgi /opt/healthchecks/docker/uwsgi.ini' image: healthchecks:local restart: always networks: - t2_proxy environment: - DEFAULT_FROM_EMAIL=$FROM_EMAIL - EMAIL_HOST=$MAILJET_SMTP_SERVER - EMAIL_HOST_USER=$MAILJET_USERNAME - EMAIL_HOST_PASSWORD=$MAILJET_PASSWORD - SECRET_KEY=$HEALTHCHECKS_SECRET_KEY - REMOTE_USER_HEADER=HTTP_X_AUTH_EMAIL - REMOTE_USER_HEADER_TYPE=EMAIL - DB=postgres - DB_HOST=$POSTGRES_IP - DB_NAME=healthchecks - DB_PORT=5432 - DB_USER=$HEALTHCHECKS_DB_USERNAME - DB_PASSWORD=$HEALTHCHECKS_DB_PASSWORD - ALLOWED_HOSTS=healthchecks,localhost,healthchecks.$DOMAINNAME,$DOMAINNAME - CSRF_TRUSTED_ORIGINS=https://healthchecks.$DOMAINNAME - SITE_ROOT=https://healthchecks.$DOMAINNAME gatekeeper_healthchecks: image: quay.io/gogatekeeper/gatekeeper:1.3.8 restart: always container_name: gatekeeper_healthchecks command: --resources $GATEKEEPER_INTERNAL networks: - t2_proxy security_opt: - no-new-privileges:true entrypoint: - /opt/gatekeeper/gatekeeper environment: - PROXY_DISCOVERY_URL=$DISCOVERY_URL - PROXY_CLIENT_ID=$HEALTHCHECKS_CLIENT_ID - PROXY_CLIENT_SECRET=$HEALTHCHECKS_CLIENT_SECRET - PROXY_ENCRYPTION_KEY=$HEALTHCHECKS_ENCRYPTION_KEY - PROXY_LISTEN=:3000 - PROXY_ENABLE_REFRESH_TOKEN=true - PROXY_UPSTREAM_URL=http://healthchecks:8000 labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.healthchecks-gate.entrypoints=https" - "traefik.http.routers.healthchecks-gate.rule=Host(`healthchecks.$DOMAINNAME`)" - "traefik.http.routers.healthchecks-gate.tls=true" - "traefik.http.routers.healthchecks-gate.tls.certresolver=dns-cloudflare" ## HTTP Services - "traefik.http.routers.healthchecks-gate.service=healthchecks-gatesvc" - "traefik.http.services.healthchecks-gatesvc.loadbalancer.server.port=3000" ## Flame - flame.type=application - flame.name=Healthchecks - flame.url=https://healthchecks.$DOMAINNAME - flame.icon=space-station ``` Also, I added this to the uwsgi.ini to fix issues with SSO redirects: ``` buffer-size = 32768 ```

kerem closed this issue

2026-02-25 23:42:33 +03:00

kerem commented

2026-02-25 23:42:34 +03:00

Author

Owner

@cuu508 commented on GitHub (Apr 22, 2022):

I'm not sure if this is the same issue, but seems similar: https://github.com/healthchecks/healthchecks/pull/597

I'd check if Traefik passes X-Forwarded-Proto header to uwsgi.

@cuu508 commented on GitHub (Apr 22, 2022): I'm not sure if this is the same issue, but seems similar: https://github.com/healthchecks/healthchecks/pull/597 I'd check if Traefik passes X-Forwarded-Proto header to uwsgi.

kerem commented

2026-02-25 23:42:34 +03:00

Author

Owner

@nathanielread commented on GitHub (Apr 22, 2022):

Thanks. I'll take a look.

@nathanielread commented on GitHub (Apr 22, 2022): Thanks. I'll take a look.

kerem commented

2026-02-25 23:42:34 +03:00

Author

Owner

@Spaider commented on GitHub (Mar 2, 2024):

Sorry to bring this up again. I'm using nginx, set x-forwarded-proto header correctly (checked by tcpdump) but still see this error. I am using the most recent docker image as is (sha256 is 6579f0bb...).

Below is my nginx config:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name health-check.domain.tld;

    location / {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://localhost:8000;
    }

@Spaider commented on GitHub (Mar 2, 2024): Sorry to bring this up again. I'm using `nginx`, set `x-forwarded-proto` header correctly (checked by `tcpdump`) but still see this error. I am using the most recent docker image as is (sha256 is 6579f0bb...). Below is my nginx config: ``` server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name health-check.domain.tld; location / { proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://localhost:8000; } ```

kerem commented

2026-02-25 23:42:34 +03:00

Author

Owner

@Spaider commented on GitHub (Mar 3, 2024):

Please never mind.
The full gentleman set of headers solved the problem:

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

@Spaider commented on GitHub (Mar 3, 2024): Please never mind. The full gentleman set of headers solved the problem: ``` proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; ```