Hi, we have a forum instance running for Chinese users, 1 out of 4 users is having trouble registering or loginin, instead of seeing the red error prompt box on that page, they got redirected to a plain text page showing "Forbidden", even after cleaning their cookies, this happens on varies browsers including chrome, edge, ie, also some Chinese browser such as UC. I've searched through the forum and tried any config but no luck. Please give advice.
Below are the setup and config files I have
Ubuntu 16.10
Nodebb version 1.5.1
Mongodb 2.6.11
Nginx 1.12.0
Nginx config
server {
listen 80;
server_name www.moefi.com;
return 302 https://$server_name$request_uri;
}
### the https server
server {
# listen on ssl, deliver with speedy if possible
listen 443 ssl spdy;
server_name www.moefi.com;
# change these paths!
ssl_certificate /etc/some.pem;
ssl_certificate_key /etc/some.key;
# enables all versions of TLS, but not SSLv2 or 3 which are weak and now
deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# disables all weak ciphers
ssl_ciphers 'AES128+EECDH:AES128+EDH';
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4567;
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Nodebb config
{
"url": "http://www.moefi.com",
"secret": "secret",
"database": "mongo",
"port": 4567,
"mongo": {
"host": "127.0.0.1",
"port": "27017",
"username": "something",
"password": "something",
"database": "nodebb"
}
}
Error
20/6 09:47:18 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
20/6 18:14:28 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 06:31:10 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 06:31:13 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 06:31:23 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 06:31:33 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 06:31:48 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 06:31:52 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 06:32:11 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 06:33:34 [6838] - ^[[31merror^[[39m: /login
invalid csrf token 21/6 08:45:27 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 10:25:07 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 11:17:21 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 11:19:13 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 11:21:10 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 11:27:41 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 11:28:35 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 11:47:46 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
21/6 11:48:58 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 11:49:09 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 11:49:57 [6838] - ^[[31merror^[[39m: /login
invalid csrf token
21/6 11:54:16 [6838] - ^[[31merror^[[39m: /register
invalid csrf token
It looks like your config.json url is incorrect. You have ssl configured, so it should be https://www.moefi.com
@yariplus The issue still presents after changing the settings...could you advice where I can put some print statement so that there will be more information to find the exact issue?
23/6 10:11:20 [3644] - ^[[32minfo^[[39m: NodeBB is now listening on: 0.0.0.0:4567
23/6 12:40:34 [3644] - ^[[31merror^[[39m: /login invalid csrf token
23/6 12:40:43 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
23/6 12:40:54 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
23/6 12:41:01 [3644] - ^[[31merror^[[39m: /login invalid csrf token
23/6 12:41:17 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
23/6 12:41:26 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
23/6 12:43:14 [3644] - ^[[31merror^[[39m: /login
invalid csrf token 23/6 17:32:37 [3644] - ^[[31merror^[[39m: /login
invalid csrf token 23/6 17:33:46 [3644] - ^[[31merror^[[39m: /login
23/6 17:33:46 [3644] - ^[[31merror^[[39m: /login invalid csrf token
23/6 17:34:09 [3644] - ^[[31merror^[[39m: /login invalid csrf token
23/6 17:34:24 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
23/6 17:34:34 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
23/6 17:34:53 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
24/6 01:33:46 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
24/6 01:33:55 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
24/6 01:34:34 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
24/6 01:34:36 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
24/6 01:35:32 [3644] - ^[[31merror^[[39m: /login
invalid csrf token
24/6 05:42:10 [3644] - ^[[31merror^[[39m: /register
invalid csrf token
24/6 07:55:34 [3644] - ^[[31merror^[[39m: /register
invalid csrf token
24/6 09:27:22 [3644] - ^[[31merror^[[39m: /register
invalid csrf token
24/6 09:27:48 [3644] - ^[[31merror^[[39m: /register
invalid csrf token
24/6 09:35:00 [3644] - ^[[31merror^[[39m: /register
invalid csrf token
@baris Hi, users were seeing a "Forbidden" plain text page while log shows "invalid csrf token".
Actually I think this could be the issue, I just reproduced the error with JavaScript turned off in Chrome...the "no script" warning template is not using translation syntax, which is something could be easily fixed.
Thank you so much baris! I've been scratching my head to reproduce the issue, just didn't really come to me that someone would have js turned off in their browser...(and geez there are quite a lot of them)
Nginx default config:
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name domain.com www.domain.com;
return 301 https://$server_name$request_uri;
}
NodeBB config.json
{
"url": "https://domain.com",
"secret": "your_secret",
"bindaddress": "localhost",
"port": "4567",
"use_port":false,
"database": "mongo",
"mongo": {
"host": "127.0.0.1",
"port": "27017",
"username": "nodebb",
"password": "your_mongo_pwd",
"database": "nodebb"
}
}
Note: clone stable branch of NodeBB for deployment.
@hariom-vashisth thanks for reply, I will try your settings
@genesisx said in Excessive "invalid csrf token" on Login and Register:
@baris Hi, users were seeing a "Forbidden" plain text page while log shows "invalid csrf token".
Actually I think this could be the issue, I just reproduced the error with JavaScript turned off in Chrome...the "no script" warning template is not using translation syntax, which is something could be easily fixed.
Thank you so much baris! I've been scratching my head to reproduce the issue, just didn't really come to me that someone would have js turned off in their browser...(and geez there are quite a lot of them)
@baris not so easy I guess...some users with js turned on still seeing the "Forbidden" page upon registration, I will need to get a hold on someone who can reproduce the error and report on this. It's just so abnormally often that I start to suspect it could be GFW..
@baris @genesisx
It's seemed nginx to be blamed.
nginx config
server {
server_name balabala.com;
balabala
balbalba
}
If url of Nodebb config is set to your server ip
"url": "http://111.111.111.111",
and nginx conf stay the same.
Visit http://111.111.111.111, everything works well.
However, if url of Nodebb config is set to your domian
"url": "http://balabala.com",
and nginx conf stay the same.
Visit http://balabala.com, then "forbidden" comes out when register, "invalid csrf token" in ACP log.
