Setting Up Zammad with Caddy: Avoiding CSRF Token Errors - My Learnings
Can’t Login Because of CSRF Token Errors?
When I recently set up Zammad (this time with version 6.3.1) behind a Caddy reverse proxy (v2.7.6), I ran into a frustrating issue. Every time I tried to log in through Caddy, I got the “CSRF verification failed” error. Strangely, logging in directly within the internal network (bypassing Caddy) worked just fine. After a lot of headaches, I discovered the fix and want to share my learnings to save you from the same pain.
Essential Caddy Configuration
To resolve the CSRF token errors and ensure everything works smoothly, you need to include the following configuration in your Caddyfile:
|
|
Key Headers
X-Forwarded-Proto: This header tells Zammad whether the original request was made over HTTP or HTTPS. Without it, Zammad can’t properly handle the request protocol, leading to CSRF verification issues.X-Forwarded-Ssl: This header indicates that the original request used HTTPS, ensuring secure request handling.
This is hinted officially in the docs: Docker Environment Variables — Zammad System Documentation documentation
Why These Headers Matter
Adding these headers is crucial for Zammad to understand the nature of incoming requests correctly. If you leave them out, you’ll likely face CSRF token errors and won’t be able to log in through the reverse proxy.
My conclusion
These headers aren’t just a nice-to-have—they’re essential. Once I added them, the CSRF token errors disappeared, and logging in through Caddy worked flawlessly.
For a complete guide on setting up Zammad with Docker Compose, check out the official Zammad Installation Guide.
By sharing these key learnings, I hope to spare you the frustration I went through and help you get your Zammad setup running smoothly with Caddy. Happy ticketing!